Group Key Establishment Protocols
|
|
- Roderick Pearson
- 6 years ago
- Views:
Transcription
1 Group Key Establishment Protocols Ruxandra F. Olimid EBSIS Summer School on Distributed Event Based Systems and Related Topics 2016 July 14, 2016 Sinaia, Romania
2 Outline 1. Context and Motivation 2. Classifications 3. Properties 4. Constructions 5. Attacks and Security 2
3 Scenarios Many-to-Many One-to-Many 3
4 Scenarios Many-to-Many One-to-Many Similar roles for all users Peer-to-peer communication E.g.: Virtual conference Different roles No communication between peers E.g.: Pay TV 4
5 Goals Many-to-Many One-to-Many General goals for group applications / services: Correctness Availability Performance Efficiency (computation, power consumptions, etc.) Security aspects: confidentiality, authentication, access control, anonymity 5
6 Authentication 1. Group Authentication e.g.: a message is authenticated as sent by someone from the group 2. User Authentication e.g.: a message is authenticated as sent by a specific user inside the group 6
7 Confidentiality We focus on confidentiality Question: How can we achieve confidentiality? Answer: by using encryption Question: What do we need to encrypt? Answer: a (set of) key(s) Question: What makes it different for groups? Answer:... 7
8 Group Key Solution 1: one single key for all users Question: What could go wrong? Answer: users might leave or join the group 8
9 Group Key Solution 2: distinct keys for all pairs of communication parties or public key crypto Question: What could go wrong? Answer: too many keys to store securely / slow communication 9
10 Group Key Establishment (GKE) GKE Protocols: protocols used for the establishment, distribution and management of keys in groups (i.e. more than 2 users) There is no single solution suitable for all scenarios! Criteria: Senders type: anyone can be a sender vs. privileged users send only Group size and group scalability: small (e.g.: small video group) vs. very large (e.g.: broadcast TV) Users availability: always online vs. sometimes offline Membership dynamics: static vs. dynamic groups Others: traffic volume, performance, power capabilities,... 10
11 GKE Classification GKA (Group Key Agreement) GKT (Group Key Transfer) 11
12 Scenarios GKA (Group Key Agreement) GKT (Group Key Transfer) All users participate to key generation Multiple points of trust A privileged user (group manager / KGC*) selects a key and securely distributes it to the users Single point of trust *KGC = Key Generation Center 12
13 GKE Requirements Scalability: accept group size changes (while maintaining efficiency), allowing users to leave and join the group (while maintaining security), etc. Independence: maintain independency from the underlying multicast routing protocol or technology Reliability: ensure timely delivery of the key to intended recipients Others... This talk focuses on security 13
14 Security Goals Key confidentiality Known key security Forward security Backward security Entity authentication Key compromise impersonation resilience Ephemeral key leakage resilience Key freshness Key independence Key randomness Key indistinguishability Key unpredictability Key consistency Key authentication Key confirmation Mutual authentication 14
15 Security Goals Key freshness Key independence Key confidentiality Key randomness Known key (also security called key privacy, key Key secrecy indistinguishability or non-disclosure) Forward guarantees security that is (computationally) Key unpredictability infeasible for an Backward adversary security to compute the Key group consistency key Entity authentication Key compromise impersonation resilience Ephemeral key leakage resilience Key authentication Key confirmation Mutual authentication 15
16 Security Goals Key freshness Key independence Key confidentiality Key randomness Known key security Key indistinguishability Forward security Key unpredictability Backward security Key consistency (stronger notions for key confidentiality) assure that key privacy holds regardless of the Entity authentication Key authentication adversary s knowledge on (session or long-term) Key compromise keys from other rounds of Key the confirmation protocol / the impersonation adversary s resilience actions in future Mutual or past authentication rounds of the Ephemeral protocol key leakage resilience 16
17 Security Goals Key confidentiality Known key security Forward security Backward security Entity authentication Key compromise impersonation resilience Ephemeral key leakage resilience Key freshness Key assures independence that the key is new, Key i.e. randomness it has not been used before Key indistinguishability Key unpredictability Key consistency Key authentication Key confirmation Mutual authentication 17
18 Security Goals Key confidentiality Known key security Forward security Backward security Entity authentication Key compromise impersonation resilience Ephemeral key leakage resilience Key freshness Key independence Key imposes randomness that no correlation Key exists indistinguishability between keys from Key different unpredictability sessions Key consistency Key authentication Key confirmation Mutual authentication 18
19 Security Goals Key confidentiality Known key security Forward security Backward security Entity authentication Key compromise impersonation resilience Ephemeral key leakage resilience Key freshness Key independence Key randomness Key indistinguishability Key unpredictability Key consistency key randomness warrants indistinguishability from a random number and hence Key authentication unpredictability Key confirmation Mutual authentication 19
20 Security Goals Key confidentiality Known key security Forward security Backward security Entity authentication Key compromise impersonation resilience Ephemeral key leakage resilience Key freshness Key independence Key randomness Key indistinguishability Key unpredictability Key consistency prevents distinct users to accept different keys Key authentication Key confirmation Mutual authentication 20
21 Security Goals Key confidentiality Known key security Forward security Backward security Key freshness Key independence Key randomness Key indistinguishability Key unpredictability Key consistency Entity authentication Key authentication Key compromise confirms the identity Key confirmation of a user impersonation resilience Mutual authentication Ephemeral key leakage resilience 21
22 Security Goals Key confidentiality Known key security Forward security Backward security Key freshness Key independence Key randomness Key indistinguishability Key unpredictability Key consistency Entity authentication Key compromise impersonation resilience Key authentication Key confirmation Mutual authentication Ephemeral key prevents leakage an attacker who owns the long-term key resilience of a user to impersonate other parties to him (i.e. accepts honest parties as peers even if they are not) 22
23 Security Goals Key confidentiality Known key security Forward security Backward security Key freshness Key independence Key randomness Key indistinguishability Key unpredictability Key consistency avoids an adversary to recover the group key even Entity authentication if it discloses the Key long-term authentication keys and ephemeral Key compromise keys of parties involved Key confirmation except both these values impersonation resilience for the participants Mutual in the authentication test session Ephemeral key leakage resilience 23
24 Security Goals Key confidentiality Known key security Forward security Backward security Entity authentication Key compromise impersonation resilience Ephemeral key leakage resilience Key freshness Key independence Key randomness Key indistinguishability Key unpredictability Key consistency Key authentication Key confirmation limits the possible owners of the Mutual group authentication key to legitimate users 24
25 Security Goals Key confidentiality Known key security Forward security Backward security Entity authentication Key compromise impersonation resilience Ephemeral key leakage resilience Key freshness Key independence Key randomness Key indistinguishability Key unpredictability Key consistency Key authentication Key confirmation Mutual authentication certifies that all authorized members actually have the key 25
26 Security Goals Key freshness Key independence Key confidentiality Key randomness Known key security Key indistinguishability Forward security Key unpredictability Backward security Key consistency (also... called explicit key authentication, it combines key confirmation and key authentication) ensures Entity that authentication all qualified users to the Key protocol authentication have actually computed the group key and no one else except them has Key compromise Key confirmation impersonation resilience Mutual authentication Ephemeral key leakage resilience 26
27 Adversaries Group membership: Insiders: users registered to the group but unauthorized for a given session; Outsiders: users not registered to the group Actions: Passive: eavesdrop on the communication channel Active: insert, delete, change messages on the communication channel Types of attacks: Man-in-the-middle, replay attack (we will see both later on), known key attack, DoS, etc. 27
28 GKE Question: How to design GKE? Answer: the natural approach is to start from 2 parties protocols and extend to 3, 4, 5,... So, let s start from the popular Diffie-Hellman key exchange 28
29 Diffie-Hellman Key Exchange Introduced by W.Diffie and M.Hellman ( New directions in Cryptography, 1976) Does not assure authentication Relies its security proof on the assumption that the mathematical underlying problem is hard 29
30 Diffie-Hellman Key Exchange Alice Bob 30
31 Man-in-the-Middle Attack Alice Oscar/Eve Bob 31
32 Joux 3-Party Key Exchange Introduced by A. Joux ( A One Round Protocol for Tripartite Diffie Hellman, 2000) Does not assure authentication, so it remains vulnerable to man-in-the-middle attacks Relies its security on the assumption that the mathematical underlying problem is hard, but works on bilinear pairs 32
33 33 Bilinear Pairs
34 Joux 3-Party Key Exchange Alice Bob Charlie 34
35 Joux 3-Party Key Exchange Secure under the bilinear Diffie-Hellman assumption: Constructions for bilinear maps: Weil pairing, Tate pairing 35
36 MultiParty Key Exchange Introduced by D.Boneh and A.Silverberg ( Applications of Multilinear Forms to Cryptography, 2002) Does not assume authentication, so it remains vulnerable to man-in-the-middle attacks Relies its security on the assumption that the mathematical underlying problem is hard, but works on multilinear maps 36
37 37 Multilinear Maps
38 MultiParty Key Exchange (broadcast msg) User i 38
39 MultiParty Key Exchange Secure under the multilinear Diffie-Hellman assumption: Secure constructions of multilinear maps is questionable 39
40 DH-Based Key Exchange Previous constructions are built on a generalization of the Diffie-Hellman assumption But GKA protocols can also use DH key exchange as building block 40
41 DH-Based Key Exchange Ring structure Tree structure 41
42 Ring-based DH (an example) I.Ingemarsson, D.T.Tang, and C. K. Wong ( A Conference Key Distribution System, 1982) Users are placed in a ring A user talks only to its neighbours 42
43 Ring-based DH (an example) Round 1 43
44 Ring-based DH (an example) Round 2 44
45 Ring-based DH (an example) Round 3 45
46 Ring-based DH (an example) Round 4 46
47 Tree-based DH (an example) Y.Kim, A.Perrig, G.Tsudik ( Tree-based Group Key Agreement, 2004) Users are leaves in a (balanced) tree A key is agreed between children of the same node up to the root, which becomes the final group key 47
48 48 Tree-based DH (an example)
49 Tree-based DH (an example) Round 1 49
50 Tree-based DH (an example) Round 2 Round 1 50
51 Tree-based DH (an example) Round 3 Round 2 Round 1 51
52 Tree-based DH (an example) The protocol includes support for dynamic groups: Join: a new member is added to the group Leave: a member is removed from the group Merge: 2 groups are merged together Partition: one group is split in 2 groups Key refresh: the group key is refreshed We next explain Leave, as an example 52
53 53 Tree-based DH (an example)
54 54 Tree-based DH (an example)
55 Tree-based DH (an example) Round 2: Each user refreshes its tree of keys 55
56 GKE Question: What kind of GKE were all these examples, GKA or GKT? Answer: GKA So, let s have a look at GKT and see some attacks! 56
57 GKT GKC 57
58 GKT GKC Registered users (insiders) Authorized users (registered) Unregistered users (outsiders) 58
59 GKT LLKey 1 LLKey 1 LLKey 5 LLKey 4 GKC LLKey 2 LLKey 5 LLKey 3 Registered users (insiders) Authorized users (registered) Unregistered users (outsiders) 59
60 Yuan et al. GKT Introduced by W. Yuan, L. Hu, H. Li, J. Chu ( An Efficient Password-based Group Key Exchange Protocol Using Secret Sharing, 2013) The long-term key is a password (split in two parts) Has no (real) security proof! 60
61 GKT pw 4x pw 4y pw 1x pw 1y pw 2x pw 2y GKC pw 1x pw 1y pw 5x pw 5y pw 5x pw 5y pw 3x pw 3y Registered users (insiders) Authorized users (registered) Unregistered users (outsiders) 61
62 62 Yuan et al. GKT
63 First Attack Insider attack & Replay attack 63
64 First Attack GKC Insider Attack 64
65 First Attack GKC GKC Replay Attack 65
66 First Attack Session s1 Session s2 66
67 The Modified Protocol *nonce = number used once 67
68 68 The Modified Protocol
69 Second Attack This does not make it secure against an insider attack! Both attacks were introduced by R.F.Olimid ( A Chain of Attacks and Countermeasures Applied to a Group Key Transfer Protocol, 2014) 69
70 Second Attack GKC Insider Attack 70
71 Second Attack Session s1 Session s2 71
72 Formal Security Models Security models formalize the security goals within a precise environment, specifying the trust assumptions, the relations between participants, the adversarial power, the communication medium Security proofs prove a protocol is secure under a specific model 72
73 Formal Security Models Year Name Info 2001 BCPQ [1] first security model (generalizes existing models for two or three party protocols) 2001 BCP [2] + dynamic groups 2002 BCP+ [3] + strong corruption (i.e. the attacker reveals the ephemeral internal state information of the users instances) 2005 KS [4] security against insider attacks (UC framework) 2009 GBG [5] + KCI (Key Compromise Impersonation) 2011 egbg [6] + EKL (Ephemeral Keys Leakage) 2013 g-eck [7] + EKL in test session (GKE version of eck) More info: [8], [9] Some of the proposed security models: 73
74 Formal Security Models [1] Bresson, E., Chevassut, O., Pointcheval, D. and Quisquater, J.J., 2001, November. Provably authenticated group Diffie-Hellman key exchange. InProceedings of the 8th ACM conference on Computer and Communications Security (pp ). [2] Bresson, E., Chevassut, O. and Pointcheval, D., 2001, December. Provably authenticated group Diffie-Hellman key exchange the dynamic case. In International Conference on the Theory and Application of Cryptology and Information Security (pp ). [3] Bresson, E., Chevassut, O. and Pointcheval, D., 2002, April. Dynamic group Diffie-Hellman key exchange under standard assumptions. In International Conference on the Theory and Applications of Cryptographic Techniques (pp ). [4] Katz, J. and Shin, J.S., 2005, November. Modeling insider attacks on group key-exchange protocols. In Proceedings of the 12th ACM conference on Computer and communications security (pp ). [5] Gorantla, M.C., Boyd, C. and Nieto, J.M.G., 2009, March. Modeling key compromise impersonation attacks on group key exchange protocols. In International Workshop on Public Key Cryptography (pp ). [6] Zhao, J., Gu, D. and Gorantla, M.C., 2011, March. Stronger security model of group key agreement. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security (pp ). [7] Manulis, M., Suzuki, K. and Ustaoglu, B., Modeling leakage of ephemeral secrets in tripartite/group key exchange. IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences,96(1), pp [8] Manulis, M. "Survey on Security Requirements and Models for Group Key Exchange." IACR Cryptology eprint Archive 2006 (2006): 388. [9] Manulis, M., Provably secure group key exchange. Europ. Univ.-Verlag 74
75 Security Model (an example) M.C. Gorantla, C. Boyd, and J.M.G. Nieto ( Modeling key compromise impersonation attacks on group key exchange protocols, 1982) We talk about AKE (Authenticated Key Exchange) security only 75
76 Security Model (an example) upper bound for no. (concurrent) sessions ephemeral Correctness: information A GKE (for protocol the current is correct session) if: instance all instances OR of user U have in session accepted; s all instances AND are partnered; terminates long-term all instances key without (certified have a session by computed an key authority) the same session group session keyid (identifies session s) partner id (set of identities U wishes to establish a key with) 76 * index for user and session is distinct, but we have used the same notation i, respectively j
77 Security Model (an example) Stage 1 Stage 2 Adversary Adversary Adversary A protocol is AKE-secure if the winning probability is negligible close to 1/2. 77
78 Security Model (an example) Some informal security goals modeled by GBG: Key confidentiality: unauthorized parties cannot recover the key Forward secrecy: the adversary can learn the long-term private keys of the users, but this has no impact on the confidentiality of the keys established in previous sessions of the protocol Known key security: the adversary can learn keys from previous sessions, but this has no impact on the confidentiality of the current session key KCI resilience: the adversary can corrupt the user from the Test query, but it is not able to impersonate any of its partners to him; otherwise freshness fails. 78
79 Security Model (an example) Game based proofs: Game 0 Game 1 Game n the initial game (w.r.t crypto protocol that will be proven secure) infeasible to win (by a PPT adversary) 79
80 Thank you! Q&A 80
Modelling the Security of Key Exchange
Modelling the Security of Key Exchange Colin Boyd including joint work with Janaka Alawatugoda, Juan Gonzalez Nieto Department of Telematics, NTNU Workshop on Tools and Techniques for Security Analysis
More informationCristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.
CS355: Cryptography Lecture 17: X509. PGP. Authentication protocols. Key establishment. Public Keys and Trust Public Key:P A Secret key: S A Public Key:P B Secret key: S B How are public keys stored How
More informationA modified eck model with stronger security for tripartite authenticated key exchange
A modified eck model with stronger security for tripartite authenticated key exchange Qingfeng Cheng, Chuangui Ma, Fushan Wei Zhengzhou Information Science and Technology Institute, Zhengzhou, 450002,
More information(In)security of ecient tree-based group key agreement using bilinear map
Loughborough University Institutional Repository (In)security of ecient tree-based group key agreement using bilinear map This item was submitted to Loughborough University's Institutional Repository by
More informationProofs for Key Establishment Protocols
Information Security Institute Queensland University of Technology December 2007 Outline Key Establishment 1 Key Establishment 2 3 4 Purpose of key establishment Two or more networked parties wish to establish
More informationSecurity properties of two authenticated conference key agreement protocols
Security properties of two authenticated conference key agreement protocols Qiang Tang and Chris J. Mitchell Information Security Group Royal Holloway, University of London Egham, Surrey TW20 0EX, UK {qiang.tang,
More informationCIS 4360 Secure Computer Systems Applied Cryptography
CIS 4360 Secure Computer Systems Applied Cryptography Professor Qiang Zeng Spring 2017 Symmetric vs. Asymmetric Cryptography Symmetric cipher is much faster With asymmetric ciphers, you can post your Public
More informationSession key establishment protocols
our task is to program a computer which gives answers which are subtly and maliciously wrong at the most inconvenient possible moment. -- Ross Anderson and Roger Needham, Programming Satan s computer Session
More informationSession key establishment protocols
our task is to program a computer which gives answers which are subtly and maliciously wrong at the most inconvenient possible moment. -- Ross Anderson and Roger Needham, Programming Satan s computer Session
More informationData Security and Privacy. Topic 14: Authentication and Key Establishment
Data Security and Privacy Topic 14: Authentication and Key Establishment 1 Announcements Mid-term Exam Tuesday March 6, during class 2 Need for Key Establishment Encrypt K (M) C = Encrypt K (M) M = Decrypt
More informationSecure Multiparty Computation
CS573 Data Privacy and Security Secure Multiparty Computation Problem and security definitions Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation
More informationEfficient Compilers for Authenticated Group Key Exchange
Efficient Compilers for Authenticated Group Key Exchange Qiang Tang and Chris J. Mitchell Information Security Group, Royal Holloway, University of London Egham, Surrey TW20 0EX, UK {qiang.tang, c.mitchell}@rhul.ac.uk
More informationCryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1
Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography CS555 Spring 2012/Topic 16 1 Outline and Readings Outline Private key management between two parties Key management
More informationInter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing
Inter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing Tsai, Hong-Bin Chiu, Yun-Peng Lei, Chin-Laung Dept. of Electrical Engineering National Taiwan University July 10,
More informationHash Proof Systems and Password Protocols
Hash Proof Systems and Password Protocols II Password-Authenticated Key Exchange David Pointcheval CNRS, Ecole normale supe rieure/psl & INRIA 8th BIU Winter School Key Exchange February 2018 CNRS/ENS/PSL/INRIA
More informationCSC 5930/9010 Modern Cryptography: Public Key Cryptography
CSC 5930/9010 Modern Cryptography: Public Key Cryptography Professor Henry Carter Fall 2018 Recap Number theory provides useful tools for manipulating integers and primes modulo a large value Abstract
More informationAnonymous Password-based Authenticated Key Exchange
Joint Research Workshop on Ubiquitous Network Security Anonymous Password-based Authenticated Key Exchange Akihiro Yamamura, Duong Quang Viet and Hidema Tanaka NICT Security Fundamentals Group 1 Motivation:
More informationModeling Key Compromise Impersonation Attacks on Group Key Exchange Protocols
Modeling Key Compromise Impersonation Attacks on Group Key Exchange Protocols M. Choudary Gorantla, Colin Boyd, and Juan Manuel González Nieto Information Security Institute, Faculty of IT, Queensland
More informationAttribute-Based Authenticated Key Exchange
1 / 22 Attribute-Based Authenticated Key Exchange Choudary Gorantla, Colin Boyd and Juan González Nieto ACISP 2010 2 / 22 Outline Introduction 1 Introduction 2 3 4 3 / 22 Outline Introduction 1 Introduction
More informationKey Establishment and Authentication Protocols EECE 412
Key Establishment and Authentication Protocols EECE 412 1 where we are Protection Authorization Accountability Availability Access Control Data Protection Audit Non- Repudiation Authentication Cryptography
More informationIdentification Schemes
Identification Schemes Lecture Outline Identification schemes passwords one-time passwords challenge-response zero knowledge proof protocols Authentication Data source authentication (message authentication):
More informationApplied Cryptography and Computer Security CSE 664 Spring 2017
Applied Cryptography and Computer Security Lecture 18: Key Distribution and Agreement Department of Computer Science and Engineering University at Buffalo 1 Key Distribution Mechanisms Secret-key encryption
More informationLecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena
Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall 2009 Nitesh Saxena *Adopted from a previous lecture by Gene Tsudik Course Admin HW3 Problem 3 due Friday midnight
More informationAuthenticating People and Machines over Insecure Networks
Authenticating People and Machines over Insecure Networks EECE 571B Computer Security Konstantin Beznosov authenticating people objective Alice The Internet Bob Password= sesame Password= sesame! authenticate
More informationCSC 774 Advanced Network Security
CSC 774 Advanced Network Security Topic 5 Group Key Management Dr. Peng Ning CSC 774 Adv. Net. Security 1 Group Communication A group consists of multiple members Messages sent by one sender are received
More informationSecure Multiparty Computation: Introduction. Ran Cohen (Tel Aviv University)
Secure Multiparty Computation: Introduction Ran Cohen (Tel Aviv University) Scenario 1: Private Dating Alice and Bob meet at a pub If both of them want to date together they will find out If Alice doesn
More informationEFFECTIVE KEY GENERATION FOR MULTIMEDIA AND WEB APPLICATION
EFFECTIVE KEY GENERATION FOR MULTIMEDIA AND WEB APPLICATION Mr. Sagar Sharad Bhuite Department of Computer Science and Engg, College of Engg. Pandharpur Solapur University, Solapur, India Prof. Yoginath
More informationCS 494/594 Computer and Network Security
CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Real-Time Communication Security Network layers
More informationCrypto Background & Concepts SGX Software Attestation
CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 Lecture 4b Slide deck extracted from Kamran s tutorial on SGX, presented during ECE 6095 Spring 2017 on Secure Computation and Storage, a precursor to this course
More informationNetwork Security: Broadcast and Multicast. Tuomas Aura T Network security Aalto University, Nov-Dec 2010
Network Security: Broadcast and Multicast Tuomas Aura T-110.5240 Network security Aalto University, Nov-Dec 2010 Outline 1. Broadcast and multicast 2. Receiver access control (i.e. data confidentiality)
More informationOne-Time-Password-Authenticated Key Exchange
One-Time-Password-Authenticated Key Exchange Kenneth G. Paterson 1 and Douglas Stebila 2 1 Information Security Group Royal Holloway, University of London, Egham, Surrey, UK 2 Information Security Institute
More informationPairing-Based One-Round Tripartite Key Agreement Protocols
Pairing-Based One-Round Tripartite Key Agreement Protocols Zhaohui Cheng, Luminita Vasiu and Richard Comley School of Computing Science, Middlesex University White Hart Lane, London N17 8HR, United Kingdom
More informationECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos
ECE596C: Handout #9 Authentication Using Shared Secrets Electrical and Computer Engineering, University of Arizona, Loukas Lazos Abstract. In this lecture we introduce the concept of authentication and
More informationCryptographic Protocols 1
Cryptographic Protocols 1 Luke Anderson luke@lukeanderson.com.au 5 th May 2017 University Of Sydney Overview 1. Crypto-Bulletin 2. Problem with Diffie-Hellman 2.1 Session Hijacking 2.2 Encrypted Key Exchange
More informationResearch Statement. Yehuda Lindell. Dept. of Computer Science Bar-Ilan University, Israel.
Research Statement Yehuda Lindell Dept. of Computer Science Bar-Ilan University, Israel. lindell@cs.biu.ac.il www.cs.biu.ac.il/ lindell July 11, 2005 The main focus of my research is the theoretical foundations
More informationT Cryptography and Data Security
T-79.4501 Cryptography and Data Security Lecture 10: 10.1 Random number generation 10.2 Key management - Distribution of symmetric keys - Management of public keys Stallings: Ch 7.4; 7.3; 10.1 1 The Use
More information1. Diffie-Hellman Key Exchange
e-pgpathshala Subject : Computer Science Paper: Cryptography and Network Security Module: Diffie-Hellman Key Exchange Module No: CS/CNS/26 Quadrant 1 e-text Cryptography and Network Security Objectives
More informationPassword Based Authentication Key Exchange in the Three Party
Password Based Authentication Key Exchange in the Three Party Er.Nishi Madan¹, Er.Manvinder Singh Nayyar² ¹Assistant Professor, Computer Science & Engineering DAV University, Jalandhar, Punjab (India)
More informationReal-time protocol. Chapter 16: Real-Time Communication Security
Chapter 16: Real-Time Communication Security Mohammad Almalag Dept. of Computer Science Old Dominion University Spring 2013 1 Real-time protocol Parties negotiate interactively (Mutual) Authentication
More informationScalable Authenticated Tree Based Group Key Exchange for Ad-Hoc Groups
Scalable Authenticated Tree Based Group Key Exchange for Ad-Hoc Groups Yvo Desmedt 1, Tanja Lange 2, and Mike Burmester 3 1 Information Security, Department of Computer Science, University College London,
More informationAuth. Key Exchange. Dan Boneh
Auth. Key Exchange Review: key exchange Alice and want to generate a secret key Saw key exchange secure against eavesdropping Alice k eavesdropper?? k This lecture: Authenticated Key Exchange (AKE) key
More informationCS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong
CS573 Data Privacy and Security Cryptographic Primitives and Secure Multiparty Computation Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation
More informationFormal Methods for Assuring Security of Computer Networks
for Assuring of Computer Networks May 8, 2012 Outline Testing 1 Testing 2 Tools for formal methods Model based software development 3 Principals of security Key security properties Assessing security protocols
More informationCryptographic Checksums
Cryptographic Checksums Mathematical function to generate a set of k bits from a set of n bits (where k n). k is smaller then n except in unusual circumstances Example: ASCII parity bit ASCII has 7 bits;
More informationRobust EC-PAKA Protocol for Wireless Mobile Networks
International Journal of Mathematical Analysis Vol. 8, 2014, no. 51, 2531-2537 HIKARI Ltd, www.m-hikari.com http://dx.doi.org/10.12988/ijma.2014.410298 Robust EC-PAKA Protocol for Wireless Mobile Networks
More informationL13. Reviews. Rocky K. C. Chang, April 10, 2015
L13. Reviews Rocky K. C. Chang, April 10, 2015 1 Foci of this course Understand the 3 fundamental cryptographic functions and how they are used in network security. Understand the main elements in securing
More informationGeneric Transformation of a CCA2-Secure Public-Key Encryption Scheme to an eck-secure Key Exchange Protocol in the Standard Model
Generic Transformation of a CCA2-Secure Public-Key Encryption Scheme to an eck-secure Key Exchange Protocol in the Standard Model Janaka Alawatugoda Department of Computer Engineering University of Peradeniya,
More informationCSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L
CS 3461/5461: Introduction to Computer Networking and Internet Technologies Network Security Study: 21.1 21.5 Kannan Srinivasan 11-27-2012 Security Attacks, Services and Mechanisms Security Attack: Any
More informationSpring 2010: CS419 Computer Security
Spring 2010: CS419 Computer Security Vinod Ganapathy Lecture 7 Topic: Key exchange protocols Material: Class handout (lecture7_handout.pdf) Chapter 2 in Anderson's book. Today s agenda Key exchange basics
More informationMTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems
MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov October 31, 2005 Abstract Standard security assumptions (IND-CPA, IND- CCA) are explained. A number of cryptosystems
More informationKey Establishment. Colin Boyd. May Department of Telematics NTNU
1 / 57 Key Establishment Colin Boyd Department of Telematics NTNU May 2014 2 / 57 Designing a Protocol Outline 1 Designing a Protocol 2 Some Protocol Goals 3 Some Key Agreement Protocols MTI Protocols
More informationCS 395T. Formal Model for Secure Key Exchange
CS 395T Formal Model for Secure Key Exchange Main Idea: Compositionality Protocols don t run in a vacuum Security protocols are typically used as building blocks in a larger secure system For example,
More informationKey Agreement. Guilin Wang. School of Computer Science, University of Birmingham
Key Agreement Guilin Wang School of Computer Science, University of Birmingham G.Wang@cs.bham.ac.uk 1 Motivations As we know, symmetric key encryptions are usually much more efficient than public key encryptions,
More informationTwo Formal Views of Authenticated Group Diffie-Hellman Key Exchange
Two Formal Views of Authenticated Group Diffie-Hellman Key Exchange E. Bresson 1, O. Chevassut 2,3, O. Pereira 2, D. Pointcheval 1 and J.-J. Quisquater 2 1 Ecole Normale Supérieure, 75230 Paris Cedex 05,
More informationIdeal Security Protocol. Identify Friend or Foe (IFF) MIG in the Middle 4/2/2012
Ideal Security Protocol Satisfies security requirements Requirements must be precise Efficient Small computational requirement Small bandwidth usage, network delays Not fragile Works when attacker tries
More informationOn the Security of a Certificateless Public-Key Encryption
On the Security of a Certificateless Public-Key Encryption Zhenfeng Zhang, Dengguo Feng State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences, Beijing 100080,
More informationInformation Security CS 526
Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication Topic 14: Secure Communication 1 Readings for This Lecture On Wikipedia Needham-Schroeder protocol (only the symmetric
More information2.1 Basic Cryptography Concepts
ENEE739B Fall 2005 Part 2 Secure Media Communications 2.1 Basic Cryptography Concepts Min Wu Electrical and Computer Engineering University of Maryland, College Park Outline: Basic Security/Crypto Concepts
More informationNetwork Security: Broadcast and Multicast. Tuomas Aura T Network security Aalto University, Nov-Dec 2011
Network Security: Broadcast and Multicast Tuomas Aura T-110.5241 Network security Aalto University, Nov-Dec 2011 Outline 1. Broadcast and multicast 2. Receiver access control (i.e. data confidentiality)
More informationLecture 1: Course Introduction
Lecture 1: Course Introduction Thomas Johansson T. Johansson (Lund University) 1 / 37 Chapter 9: Symmetric Key Distribution To understand the problems associated with managing and distributing secret keys.
More informationLecture 2 Applied Cryptography (Part 2)
Lecture 2 Applied Cryptography (Part 2) Patrick P. C. Lee Tsinghua Summer Course 2010 2-1 Roadmap Number theory Public key cryptography RSA Diffie-Hellman DSA Certificates Tsinghua Summer Course 2010 2-2
More informationChapter 9: Key Management
Chapter 9: Key Management Session and Interchange Keys Key Exchange Cryptographic Key Infrastructure Storing and Revoking Keys Digital Signatures Slide #9-1 Overview Key exchange Session vs. interchange
More informationLecture 30. Cryptography. Symmetric Key Cryptography. Key Exchange. Advanced Encryption Standard (AES) DES. Security April 11, 2005
Lecture 30 Security April 11, 2005 Cryptography K A ciphertext Figure 7.3 goes here K B symmetric-key crypto: sender, receiver keys identical public-key crypto: encrypt key public, decrypt key secret Symmetric
More informationLecture 9a: Secure Sockets Layer (SSL) March, 2004
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York University artg@cs.nyu.edu Security Achieved by
More informationUNIT - IV Cryptographic Hash Function 31.1
UNIT - IV Cryptographic Hash Function 31.1 31-11 SECURITY SERVICES Network security can provide five services. Four of these services are related to the message exchanged using the network. The fifth service
More informationPairing-Based One-Round Tripartite Key Agreement Protocols
Pairing-Based One-Round Tripartite Key Agreement Protocols Zhaohui Cheng, Luminita Vasiu and Richard Comley School of Computing Science, Middlesex University White Hart Lane, London N17 8HR, United Kingdom
More informationL7: Key Distributions. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806
L7: Key Distributions Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806 9/16/2015 CSCI 451 - Fall 2015 1 Acknowledgement Many slides are from or are
More informationCS Computer Networks 1: Authentication
CS 3251- Computer Networks 1: Authentication Professor Patrick Traynor 4/14/11 Lecture 25 Announcements Homework 3 is due next class. Submit via T-Square or in person. Project 3 has been graded. Scores
More informationInternet Research Task Force (IRTF) Category: Informational April 2017 ISSN:
Internet Research Task Force (IRTF) J. Schmidt Request for Comments: 8125 secunet Security Networks Category: Informational April 2017 ISSN: 2070-1721 Requirements for Password-Authenticated Key Agreement
More informationBrief Introduction to Provable Security
Brief Introduction to Provable Security Michel Abdalla Département d Informatique, École normale supérieure michel.abdalla@ens.fr http://www.di.ens.fr/users/mabdalla 1 Introduction The primary goal of
More informationViber Encryption Overview
Introduction Terms Preparations for Session Setup Secure Session Setup Exchanging Messages Encrypted Calls Photo, Video and File Sharing Secure Groups Secondary Device Registration Authentication Viber
More informationHomework 3: Solution
Homework 3: Solution March 28, 2013 Thanks to Sachin Vasant and Xianrui Meng for contributing their solutions. Exercise 1 We construct an adversary A + that does the following to win the CPA game: 1. Select
More informationPublic-Key Infrastructure NETS E2008
Public-Key Infrastructure NETS E2008 Many slides from Vitaly Shmatikov, UT Austin slide 1 Authenticity of Public Keys? private key Alice Bob public key Problem: How does Alice know that the public key
More informationCryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 38 A Tutorial on Network Protocols
More informationSecurity Analysis of KEA Authenticated Key Exchange Protocol
Security Analysis of KEA Authenticated Key Exchange Protocol Kristin Lauter 1 and Anton Mityagin 2 1 Microsoft Research, One Microsoft Way, Redmond, WA 98052 klauter@microsoft.com 2 Department of Computer
More informationAnonymity. Assumption: If we know IP address, we know identity
03--4 Anonymity Some degree of anonymity from using pseudonyms However, anonymity is always limited by address TCP will reveal your address address together with ISP cooperation Anonymity is broken We
More informationPart II Bellare-Rogaway Model (Active Adversaries)
Part II Bellare-Rogaway Model (Active Adversaries) 8th BIU Winter School on Key Exchange, 2018 Marc Fischlin 13. Oktober 2010 Dr.Marc Fischlin Kryptosicherheit 1 Active Attacks Adversary may tamper, drop,
More informationKey Management and Distribution
CPE 542: CRYPTOGRAPHY & NETWORK SECURITY Chapter 10 Key Management; Other Public Key Cryptosystems Dr. Lo ai Tawalbeh Computer Engineering Department Jordan University of Science and Technology Jordan
More informationBlockchain for Enterprise: A Security & Privacy Perspective through Hyperledger/fabric
Blockchain for Enterprise: A Security & Privacy Perspective through Hyperledger/fabric Elli Androulaki Staff member, IBM Research, Zurich Workshop on cryptocurrencies Athens, 06.03.2016 Blockchain systems
More informationCS408 Cryptography & Internet Security
CS408 Cryptography & Internet Security Lectures 16, 17: Security of RSA El Gamal Cryptosystem Announcement Final exam will be on May 11, 2015 between 11:30am 2:00pm in FMH 319 http://www.njit.edu/registrar/exams/finalexams.php
More informationCSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography
CSCI 454/554 Computer and Network Security Topic 5.2 Public Key Cryptography Outline 1. Introduction 2. RSA 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard 2 Introduction Public Key Cryptography
More information0x1A Great Papers in Computer Security
CS 380S 0x1A Great Papers in Computer Security Vitaly Shmatikov http://www.cs.utexas.edu/~shmat/courses/cs380s/ Privacy on Public Networks Internet is designed as a public network Wi-Fi access points,
More informationAuthentication for Paranoids: Multi-Party Secret Handshakes
Authentication for Paranoids: Multi-Party Secret Handshakes Stanis law Jarecki, Jihye Kim, and Gene Tsudik Computer Science Department University of California, Irvine {stasio, jihyek, gts}@ics.uci.edu
More informationChapter 10 : Private-Key Management and the Public-Key Revolution
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 10 : Private-Key Management and the Public-Key Revolution 1 Chapter 10 Private-Key Management
More informationComputer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 10r. Recitation assignment & concept review Paul Krzyzanowski Rutgers University Spring 2018 April 3, 2018 CS 419 2018 Paul Krzyzanowski 1 1. What is a necessary condition for perfect
More informationOutline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA
CSCI 454/554 Computer and Network Security Topic 5.2 Public Key Cryptography 1. Introduction 2. RSA Outline 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard 2 Introduction Public Key Cryptography
More informationGroup Key Agreement Protocols for Dynamic Peer Groups
Nirav Jasapara jasapara@isi.edu Group Key Agreement Protocols for Dynamic Peer Groups ABSTRACT With the increased use of distributed services and applications, secure group communication over unsecured
More informationGrenzen der Kryptographie
Microsoft Research Grenzen der Kryptographie Dieter Gollmann Microsoft Research 1 Summary Crypto does not solve security problems Crypto transforms security problems Typically, the new problems relate
More informationWide-weak Privacy Preserving RFID Mutual Authentication Protocol
Wide-weak Privacy Preserving RFID Mutual Authentication Protocol Raghuvir Songhela Manik Lal Das DA-IICT, Gandhinagar, India. {songhela raghuvir, maniklal das}@daiict.ac.in Abstract Radio Frequency IDentification
More informationOutline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)
Outline AIT 682: Network and Systems Security 1. Introduction 2. RSA 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard Topic 5.2 Public Key Cryptography Instructor: Dr. Kun Sun 2 Public Key
More informationModule: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security
CMPSC443 - Introduction to Computer and Network Security Module: Cryptographic Protocols Professor Patrick McDaniel Spring 2009 1 Key Distribution/Agreement Key Distribution is the process where we assign
More informationSecurity Analysis of Shim s Authenticated Key Agreement Protocols from Pairings
Security Analysis of Shim s Authenticated Key Agreement Protocols from Pairings Hung-Min Sun and Bin-san Hsieh Department of Computer Science, National sing Hua University, Hsinchu, aiwan, R.O.C. hmsun@cs.nthu.edu.tw
More informationLecture 7 - Applied Cryptography
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Lecture 7 - Applied Cryptography CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger
More informationA SECURE PASSWORD-BASED REMOTE USER AUTHENTICATION SCHEME WITHOUT SMART CARDS
ISSN 1392 124X INFORMATION TECHNOLOGY AND CONTROL, 2012, Vol.41, No.1 A SECURE PASSWORD-BASED REMOTE USER AUTHENTICATION SCHEME WITHOUT SMART CARDS Bae-Ling Chen 1, Wen-Chung Kuo 2*, Lih-Chyau Wuu 3 1
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Chapter 1: Overview What is Cryptography? Cryptography is the study of
More informationNotes for Lecture 14
COS 533: Advanced Cryptography Lecture 14 (November 6, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Fermi Ma Notes for Lecture 14 1 Applications of Pairings 1.1 Recap Consider a bilinear e
More informationAuthenticated Key Agreement without Subgroup Element Verification
Authenticated Key Agreement without Subgroup Element Verification Taekyoung Kwon Sejong University, Seoul 143-747, Korea E-mail: tkwon@sejong.ac.kr Abstract. In this paper, we rethink the security of authenticated
More informationSecure Sockets Layer (SSL) / Transport Layer Security (TLS)
Secure Sockets Layer (SSL) / Transport Layer Security (TLS) Brad Karp UCL Computer Science CS GZ03 / M030 20 th November 2017 What Problems Do SSL/TLS Solve? Two parties, client and server, not previously
More informationDistributed ID-based Signature Using Tamper-Resistant Module
, pp.13-18 http://dx.doi.org/10.14257/astl.2013.29.03 Distributed ID-based Signature Using Tamper-Resistant Module Shinsaku Kiyomoto, Tsukasa Ishiguro, and Yutaka Miyake KDDI R & D Laboratories Inc., 2-1-15,
More informationChapter 9 Public Key Cryptography. WANG YANG
Chapter 9 Public Key Cryptography WANG YANG wyang@njnet.edu.cn Content Introduction RSA Diffie-Hellman Key Exchange Introduction Public Key Cryptography plaintext encryption ciphertext decryption plaintext
More information