Outline More Security Protocols CS 239 Computer Security February 4, 2004

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Outline More Security Protocols CS 239 Computer Security February 4, 2004"

Transcription

1 Outline More Security Protocols CS 239 Computer Security February 4, 2004 Combining key distribution and authentication Verifying security protocols Page 1 Page 2 Combined Key Distribution and Authentication Usually the first requires the second Not much good to be sure the key is a secret if you don t know who you re sharing it with How can we achieve both goals? In a single protocol With relatively few messages Needham-Schroeder Key Exchange Uses symmetric cryptography equires a trusted authority Who takes care of generating the new key More complicated than some protocols we ve seen Page 3 Page 4 Needham-Schroeder, Step 1 What s the Point of A? A,, A A is nonce chosen by for this invocation of the protocol A random number Not used as a key, so quality of s random number generator not too important Helps defend against replay attacks Page 5 Page 6 1

2 A Needham-Schroeder, Step 2 E KA ( A,,, E KB (,)) What s all this stuff for? Including A prevents replay Including prevents attacker from replacing s identity Including the encrypted message for ensures that message can t be replaced Page 7 Needham-Schroeder, Step 3 E KB (,) So we re done, right? Wrong! KS Page 8 B Needham-Schroeder, Step 4 E KS ( B ) B B Needham-Schroeder, Step 5 E KS ( B -1) Now we re done! B B -1 Page 9 Page 10 What s All This Extra Stuff For? knows she s K K E KB (,) B A talking to K S said she was Can Can said he was E KA ( A,,, jump in later? jump in later? knows he s talking No, only No, all later E KB (,)) to could read the messages will use key package, which created doesn t know Page 11 What s All This Extra Stuff For? What about those random numbers? Page 12 2

3 Causes Problems and do something likes watches the messages they send to do so wants to make them do it again Can replay the conversation? Let s try it without the random numbers Waits For His Chance E KA (,, K A E KB (,)), Page 13 Page 14 What Will Do Now? The message could only have been created by It properly indicates she wants to talk to It contains a perfectly plausible key will probably go ahead with the protocol Page 15 The Protocol Continues steps aside for a bit E KB (,) With no random keys, we re done Page 16 So What s the Problem and agree is their key They both know the key definitely created the key for them Nobody else has the key But... Page 17 Steps Back Into the Picture E KS (Old message 2) can replay and s old conversation E KS (Old message 1) It s using the current key, so and will accept it Page 18 3

4 How Do the andom Numbers Help? s random number assures her that the reply from is fresh But why does need another random number? Page 19 Why Also Needs a andom Number Let s say doesn t want to talk to E KB (,) But wants to think wants to talk Page 20 So What? So, Everything s Fine, ight? E KS (Old message 1) can now play back an old message from to And will have no reason to be suspicious s random number exchange assured Not if any key ever gets divulged Once is divulged, can forge s response to s challenge And convince that he s talking to when he s really talking to him that really wanted to talk Page 21 Page 22 Cracks an Old Key E KS ( B ) E KB KS (K ( S B,) - 1) B B - 1 enlists 10,000 computers belonging to 10,000 grandmothers to crack Unfortunately, knows So can answer s challenge Page 23 Timestamps in Security Protocols One method of handling this kind of problem is timestamps Proper use of timestamps can limit the time during which an exposed key is dangerous But timestamps have their own problems Page 24 4

5 Using Timestamps in the Needham-Schroeder Protocol The trusted authority includes timestamps in his encrypted messages to and Based on a global clock When or decrypts, if the timestamp is too old, abort the protocol Page 25 Using Timestamps to Defeat E KB (,,T X ) E KB (,,T X ) T X << T now T now Now checks T X against his clock So, fearing replay, discards And s attack is foiled T X Page 26 Problems With Using Timestamps They require a globally synchronized set of clocks Hard to obtain, often Attacks on clocks become important They leave a window of vulnerability The Suppress-eplay Attack Assume two participants in a security protocol Using timestamps to avoid replay problems If the sender s clock is ahead of the receiver s, attacker can intercept message And replay later, when receiver s clock still allows it Page 27 Page 28 Handling Clock Problems 1). ely on clocks that are fairly synchronized and hard to tamper Perhaps GPS signals 2). Make all comparisons against the same clock So no two clocks need to be synchronized Page 29 Neuman-Stubblebine Protocol, Step 1, A A What does know? Someone claiming to be wants to talk securely A Page 30 5

6 A Neuman-Stubblebine Protocol, Step 2 knows thinks wants to talk to him But does she, B, E KB (, A,T B ), A,T B A B T B Neuman-Stubblebine Protocol, Step 3 really? Page 31 Page 32 A, A,,T B E KA (, A,,T B ), knows: E KB (,,T B ), B 1. heard her message 2. created a new key, A,T B B T B Neuman-Stubblebine Protocol, Step 4 E KB (,,T B ), B E KB (,,T B ), E KS ( B ) B guarantees knows T B guarantees it s a fresh session checks B and T B B B T B T B Page 33 What Has the Protocol Achieved? and share a key They know the key was generated by knows this key matches her recent request for a key knows this key matches s recent request and s agreement Page 34 What Has the Timestamp Done For and? knows that the whole agreement is timely Since the only timestamp originated with his clock, no danger of suppressreplay attacks What Else Can You Do With Security Protocols? Secret splitting and secret sharing Fair coin flips and other games Simultaneous contract signing Secure elections Zero knowledge proofs off-line Lots of other neat stuff Page 35 Page 36 6

7 Secret Splitting and Secret Sharing What if we have a secret that we need to recover later? We need to have it in other people s hands But we don t want anyone to be able to tell the secret Secret Splitting Divide the secret among two or more people They can combine to retrieve the secret But neither can guess the secret themselves Page 37 Page 38 Secret Splitting Example ecovering the Secret S S S? S S=? M wants to share secret M M` Page 39 Page 40 What If We Want To Do This Securely? What cryptographic steps would we perform to ensure security? That only and have secret components That they have components of the real secret What about ensuring that and both learn the secret if either does? Secret Sharing Say we have three participants,, Carol Can we arrange that: None of them know the secret alone Any pair of them can produce the secret Yes, using various secret sharing protocols Page 41 Page 42 7

8 Bit Commitment wants to make a choice now And prove to what that choice was Without telling him the choice now How can be sure that isn t cheating? E KS Basic Bit Commitment b E KS (,b) E KS (,b) can t tell yet what bit chose E KS (,b) Since doesn t have E KS Page 43 Page 44 E KS Now Claims the Bit Was 1 b E KS (,b) b == 1 E KS E KS (,b) How does prove it? If b == 1, told the truth,b E KS Why Does This Work? can t learn what b was until tells him gives a cryptographic package that she can t change Since the package includes, can t generate two keys, one for 0 and the other for 1 Page 45 Page 46 Making This Work Over the Network What would we have to do if was hanging around trying to screw things up? What if we wanted to keep the value of b secret from? What if we wanted to ensure that couldn t replace s choice? Page 47 Fair Coin Flips Two participants cryptographically flip a coin Based on clever use of bit commitment Cut and choose Basic version assumes no interfering third party And no need for secrecy Similar approaches can work for other games of chance Page 48 8

9 Simultaneous Contract Signing and want to sign a contract But only if each is sure the other also signs Basic method uses an arbitrator Non-arbitrated cryptographic method uses probabilistic outcome Verifying Security Protocols Security protocols are obviously very complicated And any flaw in the protocol can be very expensive Thus, verifying their correctness is of great value How to do it? Page 49 Page 50 Basic Approaches to Verifying Protocols Use standard specification and verification languages and tools Use expert systems Use logics for the analysis of knowledge and beliefs Use formal methods based on algebraic term-rewriting properties of cryptography Using Standard Specification and Verification Tools Treat protocol as a computer program and prove its correctness The oldest approach Using Finite state machines First-order predicate calculus Specification languages Page 51 Page 52 Problems With the Approach Using Expert Systems Very laborious Worse, correctness isn t the same as security The correctness you prove may not have even considered the possibility of certain attacks Too many protocols that have been proven have had security problems Develop an expert system that knows a lot about security protocols un it against proposed protocols In particular, use the expert system to determine if the protocol can reach an undesirable state Such as exposing a secret key Page 53 Page 54 9

10 Problems With the Expert System Approach Good at identifying flaws Provided they are based on already known problems Not so good at proving correctness or security Or at uncovering flaws based on new attacks Using Belief and Knowledge Logics An increasingly popular approach Describe certain properties that a security protocol should have Use logic to demonstrate the presence (or absence) of those properties Page 55 Page 56 BAN Logic Sample BAN Logic Statements Named for its creators (Burrows, Abadi, and Needham) The most popular method of this kind Used to reason about authentication Not other aspects of security Allows reasoning about beliefs in protocols believes X. sees X. said X. X is fresh. Page 57 Page 58 Steps in Applying BAN Logic What Can BAN Logic Do? Convert protocol to an idealized form Add all assumptions about initial state Attach logical formulae to the statements Apply logical postulates to the assertions and assumptions to discover the beliefs of protocol parties Discover flaws in protocols Found flaws in Needham-Schroeder Discover redundancies In Needham-Schroeder, Kerberos, etc. Page 59 Page 60 10

11 Critiques of BAN Logic Using Algebraic Term-ewriting Modeling Methods Translations into idealized protocols may not reflect the real protocol Doesn t address all important security issues for protocols Some feel that BAN logic can deduce characteristics that are obviously false Model the protocol as an algebraic system Express the state of the participants knowledge about the protocol Analyze the attainability of certain states Page 61 Page 62 Use of These Methods Specialized Approaches NL Protocol Analyzer Has discovered flaws in several protocols A relatively new method Weakest link seems to be formalizing protocol into an algebraic system Page 63 Stubblebine & Gligor s method of modeling weak crypto checksums Found problems in Kerberos and Privacy- Enhanced Mail Not useful for other types of analysis Woo-Lam s approach for key distribution protocols Pfitzmann s method for digital signatures There are others Page 64 An Entirely Different Approach Instead of using formal methods to verify security protocols, Use them to develop such protocols Some early work done using this approach Not clear if it will be fruitful Page 65 Bottom Line on Security Protocol Analysis Has been successful in finding some problems No one believes existing methods can find all problems Some knowledgeable observers think no method will ever be able to find all problems So, a useful tool, but not a panacea esearch in this area continues Page 66 11

Outline. More Security Protocols CS 239 Security for System Software April 22, Needham-Schroeder Key Exchange

Outline. More Security Protocols CS 239 Security for System Software April 22, Needham-Schroeder Key Exchange Outline More Security Protocols CS 239 Security for System Software April 22, 2002 Combining key distribution and authentication Verifying security protocols Page 1 Page 2 Combined Key Distribution and

More information

Outline More Security Protocols CS 239 Computer Security February 6, 2006

Outline More Security Protocols CS 239 Computer Security February 6, 2006 Outline More Security Protocols CS 239 Computer Security February 6, 2006 Combining key distribution and authentication Verifying security protocols Page 1 Page 2 Combined Key Distribution and Authentication

More information

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh Protocols II Computer Security Lecture 12 David Aspinall School of Informatics University of Edinburgh 17th February 2011 Outline Introduction Shared-key Authentication Asymmetric authentication protocols

More information

Session key establishment protocols

Session key establishment protocols our task is to program a computer which gives answers which are subtly and maliciously wrong at the most inconvenient possible moment. -- Ross Anderson and Roger Needham, Programming Satan s computer Session

More information

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken 0/41 Alice Who? Authentication Protocols Andreas Zeller/Stephan Neuhaus Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken The Menu 1/41 Simple Authentication Protocols The Menu 1/41 Simple

More information

Elements of Security

Elements of Security Elements of Security Dr. Bill Young Department of Computer Sciences University of Texas at Austin Last updated: April 8, 2015 at 12:47 Slideset 7: 1 Car Talk Puzzler You have a friend in a police state

More information

Logic of Authentication

Logic of Authentication Logic of Authentication Dennis Kafura Derived from materials authored by: Burrows, Abadi, Needham 1 Goals and Scope Goals develop a formalism to reason about authentication protocols uses determine guarantees

More information

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 38 A Tutorial on Network Protocols

More information

BAN Logic. Logic of Authentication 1. BAN Logic. Source. The language of BAN. The language of BAN. Protocol 1 (Needham-Schroeder Shared-Key) [NS78]

BAN Logic. Logic of Authentication 1. BAN Logic. Source. The language of BAN. The language of BAN. Protocol 1 (Needham-Schroeder Shared-Key) [NS78] Logic of Authentication 1. BAN Logic Ravi Sandhu BAN Logic BAN is a logic of belief. In an analysis, the protocol is first idealized into messages containing assertions, then assumptions are stated, and

More information

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature Key Management Digital signatures: classical and public key Classic and Public Key exchange 1 Handwritten Signature Used everyday in a letter, on a check, sign a contract A signature on a signed paper

More information

What did we talk about last time? Public key cryptography A little number theory

What did we talk about last time? Public key cryptography A little number theory Week 4 - Friday What did we talk about last time? Public key cryptography A little number theory If p is prime and a is a positive integer not divisible by p, then: a p 1 1 (mod p) Assume a is positive

More information

Security protocols. Correctness of protocols. Correctness of protocols. II. Logical representation and analysis of protocols.i

Security protocols. Correctness of protocols. Correctness of protocols. II. Logical representation and analysis of protocols.i Security protocols Logical representation and analysis of protocols.i A security protocol is a set of rules, adhered to by the communication parties in order to ensure achieving various security or privacy

More information

CIS 6930/4930 Computer and Network Security. Topic 6.2 Authentication Protocols

CIS 6930/4930 Computer and Network Security. Topic 6.2 Authentication Protocols CIS 6930/4930 Computer and Network Security Topic 6.2 Authentication Protocols 1 Authentication Handshakes Secure communication almost always includes an initial authentication handshake. Authenticate

More information

User Authentication Protocols Week 7

User Authentication Protocols Week 7 User Authentication Protocols Week 7 CEN-5079: 2.October.2017 1 Announcement Homework 1 is posted on the class webpage Due in 2 weeks 10 points (out of 100) subtracted each late day CEN-5079: 2.October.2017

More information

User Authentication Protocols

User Authentication Protocols User Authentication Protocols Class 5 Stallings: Ch 15 CIS-5370: 26.September.2016 1 Announcement Homework 1 is due today by end of class CIS-5370: 26.September.2016 2 User Authentication The process of

More information

Security Handshake Pitfalls

Security Handshake Pitfalls Hello Challenge R f(k, R f(k, R Problems: 1. Authentication is not mutual only authenticates Anyone can send the challenge R. f(k, R Problems: 1. Authentication is not mutual only authenticates Anyone

More information

CS Protocol Design. Prof. Clarkson Spring 2017

CS Protocol Design. Prof. Clarkson Spring 2017 CS 5430 Protocol Design Prof. Clarkson Spring 2017 Review Cryptography: Encryption, block ciphers, block cipher modes, MACs, cryptographic hash functions, digital signatures, authenticated encryption,

More information

Contents Digital Signatures Digital Signature Properties Direct Digital Signatures

Contents Digital Signatures Digital Signature Properties Direct Digital Signatures Contents Digital Signatures... 197 Digital Signature Properties... 198 Direct Digital Signatures... 198 199...قابلداوری Arbitrated Digital Signatures Arbitrated Digital Signature Technaiques... 200 Authentication

More information

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018 Computer Security 08r. Pre-exam 2 Last-minute Review Cryptography Paul Krzyzanowski Rutgers University Spring 2018 March 26, 2018 CS 419 2018 Paul Krzyzanowski 1 Cryptographic Systems March 26, 2018 CS

More information

Cryptographic Checksums

Cryptographic Checksums Cryptographic Checksums Mathematical function to generate a set of k bits from a set of n bits (where k n). k is smaller then n except in unusual circumstances Example: ASCII parity bit ASCII has 7 bits;

More information

Lecture 8 - Message Authentication Codes

Lecture 8 - Message Authentication Codes Lecture 8 - Message Authentication Codes Benny Applebaum, Boaz Barak October 12, 2007 Data integrity Until now we ve only been interested in protecting secrecy of data. However, in many cases what we care

More information

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology Cryptography & Key Exchange Protocols Faculty of Computer Science & Engineering HCMC University of Technology Outline 1 Cryptography-related concepts 2 3 4 5 6 7 Key channel for symmetric cryptosystems

More information

Mechanising BAN Kerberos by the Inductive Method

Mechanising BAN Kerberos by the Inductive Method Mechanising BAN Kerberos by the Inductive Method Giampaolo Bella Lawrence C Paulson Computer Laboratory University of Cambridge New Museums Site, Pembroke Street Cambridge CB2 3QG (UK) {gb221,lcp}@cl.cam.ac.uk

More information

Computer Networks & Security 2016/2017

Computer Networks & Security 2016/2017 Computer Networks & Security 2016/2017 Network Security Protocols (10) Dr. Tanir Ozcelebi Courtesy: Jerry den Hartog Courtesy: Kurose and Ross TU/e Computer Science Security and Embedded Networked Systems

More information

CS3235 Seventh set of lecture slides

CS3235 Seventh set of lecture slides CS3235 Seventh set of lecture slides Hugh Anderson National University of Singapore School of Computing October, 2007 Hugh Anderson CS3235 Seventh set of lecture slides 1 Warp 9... Outline 1 Public Key

More information

Security and Privacy in Computer Systems. Lecture 7 The Kerberos authentication system. Security policy, security models, trust Access control models

Security and Privacy in Computer Systems. Lecture 7 The Kerberos authentication system. Security policy, security models, trust Access control models CS 645 Security and Privacy in Computer Systems Lecture 7 The Kerberos authentication system Last Week Security policy, security models, trust Access control models The Bell-La Padula (BLP) model The Biba

More information

CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security Outline ZKIP Other IP CPSC 467b: Cryptography and Computer Security Lecture 19 Michael J. Fischer Department of Computer Science Yale University March 31, 2010 Michael J. Fischer CPSC 467b, Lecture 19

More information

Spring 2010: CS419 Computer Security

Spring 2010: CS419 Computer Security Spring 2010: CS419 Computer Security Vinod Ganapathy Lecture 7 Topic: Key exchange protocols Material: Class handout (lecture7_handout.pdf) Chapter 2 in Anderson's book. Today s agenda Key exchange basics

More information

CS Protocols. Prof. Clarkson Spring 2016

CS Protocols. Prof. Clarkson Spring 2016 CS 5430 Protocols Prof. Clarkson Spring 2016 Review: Secure channel When we last left off, we were building a secure channel The channel does not reveal anything about messages except for their timing

More information

Grenzen der Kryptographie

Grenzen der Kryptographie Microsoft Research Grenzen der Kryptographie Dieter Gollmann Microsoft Research 1 Summary Crypto does not solve security problems Crypto transforms security problems Typically, the new problems relate

More information

1 Achieving IND-CPA security

1 Achieving IND-CPA security ISA 562: Information Security, Theory and Practice Lecture 2 1 Achieving IND-CPA security 1.1 Pseudorandom numbers, and stateful encryption As we saw last time, the OTP is perfectly secure, but it forces

More information

Module: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

Module: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security CMPSC443 - Introduction to Computer and Network Security Module: Cryptographic Protocols Professor Patrick McDaniel Spring 2009 1 Key Distribution/Agreement Key Distribution is the process where we assign

More information

A Limitation of BAN Logic Analysis on a Man-in-the-middle Attack

A Limitation of BAN Logic Analysis on a Man-in-the-middle Attack ISS 1746-7659, England, U Journal of Information and Computing Science Vol. 1, o. 3, 2006, pp. 131-138 Limitation of Logic nalysis on a Man-in-the-middle ttack + Shiping Yang, Xiang Li Computer Software

More information

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification Hossen Asiful Mustafa Introduction Entity Authentication is a technique designed to let one party prove the identity of another

More information

Crypto Background & Concepts SGX Software Attestation

Crypto Background & Concepts SGX Software Attestation CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 Lecture 4b Slide deck extracted from Kamran s tutorial on SGX, presented during ECE 6095 Spring 2017 on Secure Computation and Storage, a precursor to this course

More information

Security Analysis of Bluetooth v2.1 + EDR Pairing Authentication Protocol. John Jersin Jonathan Wheeler. CS259 Stanford University.

Security Analysis of Bluetooth v2.1 + EDR Pairing Authentication Protocol. John Jersin Jonathan Wheeler. CS259 Stanford University. Security Analysis of Bluetooth v2.1 + EDR Pairing Authentication Protocol John Jersin Jonathan Wheeler CS259 Stanford University March 20, 2008 Version 1 Security Analysis of Bluetooth v2.1 + EDR Pairing

More information

CS 161 Computer Security

CS 161 Computer Security Raluca Popa Spring 2018 CS 161 Computer Security Homework 2 Due: Wednesday, February 14, at 11:59pm Instructions. This homework is due Wednesday, February 14, at 11:59pm. No late homeworks will be accepted.

More information

Outline. Login w/ Shared Secret: Variant 1. Login With Shared Secret: Variant 2. Login Only Authentication (One Way) Mutual Authentication

Outline. Login w/ Shared Secret: Variant 1. Login With Shared Secret: Variant 2. Login Only Authentication (One Way) Mutual Authentication Outline Security Handshake Pitfalls (Chapter 11 & 12.2) Login Only Authentication (One Way) Login i w/ Shared Secret One-way Public Key Lamport s Hash Mutual Authentication Shared Secret Public Keys Timestamps

More information

Fall 2010/Lecture 32 1

Fall 2010/Lecture 32 1 CS 426 (Fall 2010) Key Distribution & Agreement Fall 2010/Lecture 32 1 Outline Key agreement without t using public keys Distribution of public keys, with public key certificates Diffie-Hellman Protocol

More information

Cryptography and Network Security Chapter 14

Cryptography and Network Security Chapter 14 Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown Chapter 14 Key Management and Distribution No Singhalese, whether man or woman, would venture

More information

Session Key Distribution

Session Key Distribution Session Key Distribution The TA shares secret keys with network users. The TA chooses session keys and distributes them in encrypted form upon request of network users. We will need to define appropriate

More information

CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 24 April 16, 2012 CPSC 467b, Lecture 24 1/33 Kerberos Secure Shell (SSH) Transport Layer Security (TLS) Digital Rights Management

More information

CIS 6930/4930 Computer and Network Security. Topic 7. Trusted Intermediaries

CIS 6930/4930 Computer and Network Security. Topic 7. Trusted Intermediaries CIS 6930/4930 Computer and Network Security Topic 7. Trusted Intermediaries 1 Trusted Intermediaries Problem: authentication for large networks Solution #1 Key Distribution Center (KDC) Representative

More information

Modelling and Analysing of Security Protocol: Lecture 1. Introductions to Modelling Protocols. Tom Chothia CWI

Modelling and Analysing of Security Protocol: Lecture 1. Introductions to Modelling Protocols. Tom Chothia CWI Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI This Course This course will primarily teaching you: How to design your own secure communication

More information

ECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

ECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos ECE596C: Handout #9 Authentication Using Shared Secrets Electrical and Computer Engineering, University of Arizona, Loukas Lazos Abstract. In this lecture we introduce the concept of authentication and

More information

Attacking Authentication Protocols

Attacking Authentication Protocols Attacking Authentication Protocols John Clark 31 March 1996 1 Introduction The past two decades have seen an enormous increase in the development and use of networked and distributed systems, providing

More information

AIT 682: Network and Systems Security

AIT 682: Network and Systems Security AIT 682: Network and Systems Security Topic 7. Trusted Intermediaries Instructor: Dr. Kun Sun Trusted Intermediaries Problem: authentication for large networks Solution #1 Key Distribution Center (KDC)

More information

CS 161 Computer Security

CS 161 Computer Security Popa & Wagner Spring 2016 CS 161 Computer Security Midterm 2 Print your name:, (last) (first) I am aware of the Berkeley Campus Code of Student Conduct and acknowledge that academic misconduct will be

More information

Combined CPV-TLV Security Protocol Verifier

Combined CPV-TLV Security Protocol Verifier Combined CPV-TLV Security Protocol Verifier by Ariel Cohen Thesis submitted in partial fulfillment of the requirements for the degree of Master of Science Department of Computer Science Courant Institute

More information

Applied Cryptography Protocol Building Blocks

Applied Cryptography Protocol Building Blocks Applied Cryptography Protocol Building Blocks Sape J. Mullender Huygens Systems Research Laboratory Universiteit Twente Enschede 1 Protocols An algorithm describes a series of steps carried out by a process

More information

Introduction to Security

Introduction to Security Introduction to Security Avinanta Tarigan Universitas Gunadarma 1 Avinanta Tarigan Introduction to Security Layout Problems General Security Cryptography & Protocol reviewed 2 Avinanta Tarigan Introduction

More information

CS 161 Computer Security

CS 161 Computer Security Popa & Wagner Spring 2016 CS 161 Computer Security Discussion 5 Week of February 19, 2017 Question 1 Diffie Hellman key exchange (15 min) Recall that in a Diffie-Hellman key exchange, there are values

More information

Breaking and Fixing Public-Key Kerberos

Breaking and Fixing Public-Key Kerberos Breaking and Fixing Public-Key Kerberos Iliano Cervesato Carnegie Mellon University - Qatar iliano@cmu.edu Joint work with Andre Scedrov, Aaron Jaggard, Joe-Kai Tsay, Christopher Walstad ASIAN 06 December

More information

Proofs for Key Establishment Protocols

Proofs for Key Establishment Protocols Information Security Institute Queensland University of Technology December 2007 Outline Key Establishment 1 Key Establishment 2 3 4 Purpose of key establishment Two or more networked parties wish to establish

More information

Key Establishment and Authentication Protocols EECE 412

Key Establishment and Authentication Protocols EECE 412 Key Establishment and Authentication Protocols EECE 412 1 where we are Protection Authorization Accountability Availability Access Control Data Protection Audit Non- Repudiation Authentication Cryptography

More information

Introduction to Modern Cryptography. Benny Chor

Introduction to Modern Cryptography. Benny Chor Introduction to Modern Cryptography Benny Chor Identification (User Authentication) Fiat-Shamir Scheme Lecture 12 Tel-Aviv University 4 January 2010 Model and Major Issues Alice wishes to prove to Bob

More information

10/1/2015. Authentication. Outline. Authentication. Authentication Mechanisms. Authentication Mechanisms. Authentication Mechanisms

10/1/2015. Authentication. Outline. Authentication. Authentication Mechanisms. Authentication Mechanisms. Authentication Mechanisms Authentication IT443 Network Security Administration Instructor: Bo Sheng Authentication Mechanisms Key Distribution Center and Certificate Authorities Session Key 1 2 Authentication Authentication is

More information

CS 395T. Formal Model for Secure Key Exchange

CS 395T. Formal Model for Secure Key Exchange CS 395T Formal Model for Secure Key Exchange Main Idea: Compositionality Protocols don t run in a vacuum Security protocols are typically used as building blocks in a larger secure system For example,

More information

KEY AGREEMENT PROTOCOLS. CIS 400/628 Spring 2005 Introduction to Cryptography. This is based on Chapter 13 of Trappe and Washington

KEY AGREEMENT PROTOCOLS. CIS 400/628 Spring 2005 Introduction to Cryptography. This is based on Chapter 13 of Trappe and Washington KEY AGREEMENT PROTOCOLS CIS 400/628 Spring 2005 Introduction to Cryptography This is based on Chapter 13 of Trappe and Washington DIFFIE-HELLMAN KEY EXCHANGE Alice & want to exchange a ton of data using

More information

Securing Internet Communication: TLS

Securing Internet Communication: TLS Securing Internet Communication: TLS CS 161: Computer Security Prof. David Wagner March 11, 2016 Today s Lecture Applying crypto technology in practice Two simple abstractions cover 80% of the use cases

More information

An Interface Specification Language for Automatically Analyzing Cryptographic Protocols

An Interface Specification Language for Automatically Analyzing Cryptographic Protocols An Interface Specification Language for Automatically Analyzing Cryptographic Protocols Internet Society Symposium on Network and Distributed System Security February 10-11, 1997 San Diego Princess Resort,

More information

Cryptographic proof of custody for incentivized file-sharing

Cryptographic proof of custody for incentivized file-sharing Cryptographic proof of custody for incentivized file-sharing Pavel Kravchenko 1, Vlad Zamfir 2 1 Distributed Lab, pavel@distributedlab.com 2 Coinculture, vlad@coinculture.info Abstract. A cryptographic

More information

An Efficient and Secure Multi-server Smart Card based Authentication Scheme

An Efficient and Secure Multi-server Smart Card based Authentication Scheme An Efficient Secure Multi-server Smart Card based Authentication Scheme Toshi Jain Department of r Science Engineering Oriental Institute of Science & Technology Bhopal, India Seep Pratap Singh Department

More information

Secure Multiparty Computation

Secure Multiparty Computation CS573 Data Privacy and Security Secure Multiparty Computation Problem and security definitions Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation

More information

Identification Schemes

Identification Schemes Identification Schemes Lecture Outline Identification schemes passwords one-time passwords challenge-response zero knowledge proof protocols Authentication Data source authentication (message authentication):

More information

This chapter examines some of the authentication functions that have been developed to support network-based use authentication.

This chapter examines some of the authentication functions that have been developed to support network-based use authentication. 1 This chapter examines some of the authentication functions that have been developed to support network-based use authentication. In most computer security contexts, user authentication is the fundamental

More information

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic. 15-441 Lecture Nov. 21 st 2006 Dan Wendlandt Worms & Viruses Phishing End-host impersonation Denial-of-Service Route Hijacks Traffic modification Spyware Trojan Horse Password Cracking IP Spoofing DNS

More information

Network Security and Internet Protocols

Network Security and Internet Protocols Network Security and Internet Protocols Luca Viganò Dipartimento di Informatica Università di Verona Sicurezza delle Reti A.A. 12/13 Lecture 5 Luca Viganò (Università di Verona) Network Security and Internet

More information

SECURITY AND DATA REDUNDANCY. A White Paper

SECURITY AND DATA REDUNDANCY. A White Paper SECURITY AND DATA REDUNDANCY A White Paper Security and Data Redundancy Whitepaper 2 At MyCase, Security is Our Top Priority. Here at MyCase, we understand how important it is to keep our customer s data

More information

CSC 482/582: Computer Security. Security Protocols

CSC 482/582: Computer Security. Security Protocols Security Protocols Topics 1. Basic Concepts of Cryptography 2. Security Protocols 3. Authentication Protocols 4. Key Exchange Protocols 5. Kerberos 6. Public Key Infrastructure Encryption and Decryption

More information

A Mathematical Proof. Zero Knowledge Protocols. Interactive Proof System. Other Kinds of Proofs. When referring to a proof in logic we usually mean:

A Mathematical Proof. Zero Knowledge Protocols. Interactive Proof System. Other Kinds of Proofs. When referring to a proof in logic we usually mean: A Mathematical Proof When referring to a proof in logic we usually mean: 1. A sequence of statements. 2. Based on axioms. Zero Knowledge Protocols 3. Each statement is derived via the derivation rules.

More information

THE SWIRLDS HASHGRAPH CONSENSUS ALGORITHM: FAIR, FAST, BYZANTINE FAULT TOLERANCE

THE SWIRLDS HASHGRAPH CONSENSUS ALGORITHM: FAIR, FAST, BYZANTINE FAULT TOLERANCE THE SWIRLDS HASHGRAPH CONSENSUS ALGORITHM: FAIR, FAST, BYZANTINE FAULT TOLERANCE LEEMON BAIRD BAIRD@SWIRLDS.COM MAY 31, 2016 SWIRLDS TECH REPORT SWIRLDS-TR-2016-01 Abstract. A new system, the Swirlds hashgraph

More information

8.7 Authentication Protocols

8.7 Authentication Protocols Page 1 of 11 [ Team LiB ] 8.7 Authentication Protocols Authentication is the technique by which a process verifies that its communication partner is who it is supposed to be and not an imposter. Verifying

More information

Other Uses of Cryptography. Cryptography Goals. Basic Problem and Terminology. Other Uses of Cryptography. What Can Go Wrong? Why Do We Need a Key?

Other Uses of Cryptography. Cryptography Goals. Basic Problem and Terminology. Other Uses of Cryptography. What Can Go Wrong? Why Do We Need a Key? ryptography Goals Protect private communication in the public world and are shouting messages over a crowded room no one can understand what they are saying 1 Other Uses of ryptography Authentication should

More information

CPSC 467: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 4, 2017 CPSC 467, Lecture 11 1/39 ElGamal Cryptosystem Message Integrity and Authenticity Message authentication codes

More information

CPSC 467: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security CPSC 467: Cryptography and Computer Michael J. Fischer Lecture 4 September 11, 2017 CPSC 467, Lecture 4 1/23 Analyzing Confidentiality of Cryptosystems Secret ballot elections Information protection Adversaries

More information

T Cryptography and Data Security

T Cryptography and Data Security T-79.4501 Cryptography and Data Security Lecture 10: 10.1 Random number generation 10.2 Key management - Distribution of symmetric keys - Management of public keys Stallings: Ch 7.4; 7.3; 10.1 1 The Use

More information

HOST Cryptography I ECE 525. Cryptography Handbook of Applied Cryptography &

HOST Cryptography I ECE 525. Cryptography Handbook of Applied Cryptography & Cryptography Handbook of Applied Cryptography & http://cseweb.ucsd.edu/users/mihir/cse207/ Brief History: Proliferation of computers and communication systems in 1960s brought with it a demand to protect

More information

Breaking and Fixing Public-Key Kerberos

Breaking and Fixing Public-Key Kerberos Breaking and Fixing Public-Key Kerberos Iliano Cervesato Carnegie Mellon University - Qatar iliano@cmu.edu Joint work with Andre Scedrov, Aaron Jaggard, Joe-Kai Tsay, Christopher Walstad Qatar University

More information

Public-key Cryptography: Theory and Practice

Public-key Cryptography: Theory and Practice Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Chapter 1: Overview What is Cryptography? Cryptography is the study of

More information

1 One-Time Pad. 1.1 One-Time Pad Definition

1 One-Time Pad. 1.1 One-Time Pad Definition 1 One-Time Pad Secure communication is the act of conveying information from a sender to a receiver, while simultaneously hiding it from everyone else Secure communication is the oldest application of

More information

Fair Exchange Protocols

Fair Exchange Protocols air Exchange Protocols Steve Kremer and Mark Ryan air Exchnage Protocols p.1 Examples of fair exchange protocols Electronic purchase of goods exchange of an electronic item against an electronic payment

More information

Instructions 1 Elevation of Privilege Instructions

Instructions 1 Elevation of Privilege Instructions Instructions 1 Elevation of Privilege Instructions Draw a diagram of the system you want to threat model before you deal the cards. Deal the deck to 3-6 players. Play starts with the 3 of Tampering. Play

More information

Unit III. Chapter 1: Message Authentication and Hash Functions. Overview:

Unit III. Chapter 1: Message Authentication and Hash Functions. Overview: Unit III Chapter 1: Message Authentication and Hash Functions Overview: Message authentication is a mechanism or service used to verify the integrity of a message. Message authentication assures that data

More information

Symmetric Encryption 2: Integrity

Symmetric Encryption 2: Integrity http://wwmsite.wpengine.com/wp-content/uploads/2011/12/integrity-lion-300x222.jpg Symmetric Encryption 2: Integrity With material from Dave Levin, Jon Katz, David Brumley 1 Summing up (so far) Computational

More information

Worksheet - Reading Guide for Keys and Passwords

Worksheet - Reading Guide for Keys and Passwords Unit 2 Lesson 15 Name(s) Period Date Worksheet - Reading Guide for Keys and Passwords Background Algorithms vs. Keys. An algorithm is how to execute the encryption and decryption and key is the secret

More information

Presented by Jack G. Nestell. Topics for Discussion. I. Introduction. Discussion on the different logics and methods of reasonings of Formal Methods

Presented by Jack G. Nestell. Topics for Discussion. I. Introduction. Discussion on the different logics and methods of reasonings of Formal Methods A Discussion on Security Protocols over open networks and distributed Systems: Formal methods for their Analysis, Design, and Verification S. Gritzalis, D. Spinellis, and P. Georgiadis Presented by Jack

More information

Lecture 18 Message Integrity. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422

Lecture 18 Message Integrity. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422 Lecture 18 Message Integrity Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422 Cryptography is the study/practice of techniques for secure communication,

More information

MITOCW watch?v=zlohv4xq_ti

MITOCW watch?v=zlohv4xq_ti MITOCW watch?v=zlohv4xq_ti The following content is provided under a Creative Commons license. Your support will help MIT OpenCourseWare continue to offer high-quality educational resources for free. To

More information

Introduction to Cryptography. Ramki Thurimella

Introduction to Cryptography. Ramki Thurimella Introduction to Cryptography Ramki Thurimella Encryption & Decryption 2 Generic Setting 3 Kerckhoff s Principle Security of the encryption scheme must depend only on The secret key NOT on the secrecy of

More information

Lecture 9. Authentication & Key Distribution

Lecture 9. Authentication & Key Distribution Lecture 9 Authentication & Key Distribution 1 Where are we now? We know a bit of the following: Conventional (symmetric) cryptography Hash functions and MACs Public key (asymmetric) cryptography Encryption

More information

Distributed Systems Principles and Paradigms

Distributed Systems Principles and Paradigms Distributed Systems Principles and Paradigms Chapter 09 (version April 7, 2008) Maarten van Steen Vrije Universiteit Amsterdam, Faculty of Science Dept. Mathematics and Computer Science Room R4.20. Tel:

More information

The Kerberos Authentication Service

The Kerberos Authentication Service The Kerberos Authentication Service By: Cule Stevan ID#: 0047307 SFWR 4C03 April 4, 2005 Last Revision: April 5, 2005 Stevan Cule 0047307 SOFTWARE ENGINEERING 4C03 WINTER 2005 The Kerberos Authentication

More information

key distribution requirements for public key algorithms asymmetric (or public) key algorithms

key distribution requirements for public key algorithms asymmetric (or public) key algorithms topics: cis3.2 electronic commerce 24 april 2006 lecture # 22 internet security (part 2) finish from last time: symmetric (single key) and asymmetric (public key) methods different cryptographic systems

More information

An Introduction to How PGP Works

An Introduction to How PGP Works An Introduction to How PGP Works Revision: 0.01 Author: Kenneth Robert Ballou Date 2005-07-21 Document Change History Change Description/Reason Changed By Date Revision Initial Creation of Document Kenneth

More information

Remote E-Voting System

Remote E-Voting System Remote E-Voting System Crypto2-Spring 2013 Benjamin Kaiser Jacob Shedd Jeremy White Phases Initialization Registration Voting Verifying Activities Trusted Authority (TA) distributes 4 keys to Registrar,

More information

n-bit Output Feedback

n-bit Output Feedback n-bit Output Feedback Cryptography IV Encrypt Encrypt Encrypt P 1 P 2 P 3 C 1 C 2 C 3 Steven M. Bellovin September 16, 2006 1 Properties of Output Feedback Mode No error propagation Active attacker can

More information

Digital Signatures. Public-Key Signatures. Arbitrated Signatures. Digital Signatures With Encryption. Terminology. Message Authentication Code (MAC)

Digital Signatures. Public-Key Signatures. Arbitrated Signatures. Digital Signatures With Encryption. Terminology. Message Authentication Code (MAC) Message Authentication Code (MAC) Key-dependent one-way hash function Only someone with a correct key can verify the hash value Easy way to turn one-way hash function into MAC is to encrypt hash value

More information

Operating System Security, Continued CS 136 Computer Security Peter Reiher January 29, 2008

Operating System Security, Continued CS 136 Computer Security Peter Reiher January 29, 2008 Operating System Security, Continued CS 136 Computer Security Peter Reiher January 29, 2008 Page 1 Outline Designing secure operating systems Assuring OS security TPM and trusted computing Page 2 Desired

More information

Security Using Digital Signatures & Encryption

Security Using Digital Signatures & Encryption Email Security Using Digital Signatures & Encryption CONTENTS. Introduction The Need for Email Security Digital Signatures & Encryption 101 Digital Signatures & Encryption in Action Selecting the Right

More information