Step Initiator (I) Responder (R) ((1)) Precomputation Precomputation Computation ((2)) by using PK R and/or SK I ((3)) Request Message =) Computation
|
|
- Claribel Arnold
- 6 years ago
- Views:
Transcription
1 Resolution of ISAKMP/Oakley Key-Agreement Protocol Resistant against Denial-of-Service Attack Kanta Matsuura and Hideki Imai Institute of Industrial Science, University of Tokyo, Tokyo , JAPAN Abstract Key-agreement protocol will play an important role as an entrance to secure communication over the Internet. Specically, ISAKMP(Internet Security Association and Key Management Protocol)/Oakley key-agreement is currently a leading approach for communication between two parties. Basic idea of ISAKMP/Oakley is an authenticated Die- Hellman (DH) key-agreement protocol. This authentication owes a lot to public-key primitives whose implementation includes modular exponentiation. Since modular exponentiation is computationally expensive, attackers are motivated to abuse it for Denial-of- Service (DoS) attacks. In search of resistance against DoS attacks, this paper rst describes a basic idea on the protection mechanism for authenticated DH keyagreement protocols against DoS attacks. The paper then proposes a DoS-resistant version of three-pass ISAKMP/Oakley's Phase 1 where DoS attacks impose expensive computation on the attackers themselves. The DoS-resistance is evaluated in terms of (1) the computational cost caused by bogus requests and (2) a server-blocking probability. I. Introduction In order to enjoy secure communication over an open network, how to establish secret session keys is a fundamental problem. Looking at the Internet, ISAKMP(Internet Security Association and Key Management Protocol)/Oakley key-agreement [1] had been a leading approach for communication between two entities. After some modication, it has recently reached RFC as the Internet Key Exchange (IKE) [2]. ISAKMP/Oakley or IKE is based on a well-known Die-Hellman (DH) key-agreement protocol [3]. It is also well-known that this protocol on its own is vulnerable to intruder-in-the-middle attack; an attacker may intercept the protocol messages and masquerade as each of the users involved. Protection mechanisms against this attack has long been explored by providing entity authentication [4]. Hence ISAKMP/Oakley is also equipped with Manuscript received October 30, K. Matsuura, (ext. 2325), fax , kanta@iis.u-tokyo.ac.jp; H. Imai, (ext. 2313), imai@iis.u-tokyo.ac.jp, This work was partly supported by Research for the Future Program (RFTF) by Japan Society for the Promotion of Science (JSPS) under contact no. JSPS-RETF 96P authentication mechanisms which owe a lot to public-key primitives. Since these primitives are computationally expensive, malicious entities can initiate Denial-of-Service (DoS) attacks; they may launch quite a large number of bogus requests to exhaust the computational or communication resource of the targets who verify each request honestly. The purpose of this paper is to solve this problem of DoS. Specically, Section II. introduces our basic strategy [5] for protocol design. Then, after reviewing conventional versions in Section III., we propose a three-pass DoS-resistant version in Section IV. conforming to the strategy. Security consideration of the proposed version is subsequently given in Section V. Finally, Section VI. gives concluding remarks. II. Basic Strategy As mentioned in the introduction, secure and authenticated DH key-agreement protocols usually cost a lot in computation and/or in communication. In terms of communication complexity, three-pass protocols would be a practical solution. This section describes a design direction to protect three-pass DH protocols from DoS attacks. Let us assume that the initiator I and the responder R can use the same public-key infrastructure where public and secret keys of an entity X are denoted by PK X and SK X, respectively. Then three-pass DH key-agreement protocols can be typically structured as shown in Fig. 1. Our design direction for DoS-resistance is as follows: 1. Do not use heavy computation such as modular exponentiation in Step ((4)). 2. Send a random fresh material by Reply Message ((5)) implicitly in a way that the reconstruction of the material requires heavy computation in Step ((6)). We will refer to this material as \RF material" in the following. 3. Use the RF material for authentication. 4. Carry an acknowledgment material derived from the reconstructed RF material by Acknowledgment Message ((7)). 5. Verify the acknowledgment material at the beginning of Step ((8)). This verication must be computationally less expensive than the reconstruction of RF material in Step ((6)).
2 Step Initiator (I) Responder (R) ((1)) Precomputation Precomputation Computation ((2)) by using PK R and/or SK I ((3)) Request Message =) Computation by using ((4)) PK I and/or SK R (Session-key computation may be included.) ((5)) (= Reply Message Computation by using ((6)) PK R and/or SK I (Session-key computation may be included.) ((7)) Acknowledgment Message =) Computation ((8)) by using PK I and/or SK R ((9)) Key establishment Key establishment Fig. 1. Typical structure of three-pass authenticated DH key-agreement protocols with public-key infrastructure. Once conformed to this direction, the protocol discourages DoS attackers by \falling-together" nightmare; if the attacker and the target have similar level of computational power, the attacker must exhaust his/her resource in order to exhaust that of the target since a bogus acknowledgment material is detected before computationallyexpensive parts of Step ((8)). III. Aggressive Mode of ISAKMP/Oakley A. Conventional Versions In the key-management mechanism of IPv6 (Internet Protocol version 6), IKE has several key-agreement modes with dierent numbers of message-passes; Aggressive Mode is a three-pass protocol while Main Mode is a six-pass protocol in Phase 1, for example. In a situation where pre-shared keys are not available, \Aggressive Mode of ISAKMP/Oakley" is authenticated with publickey encryption or with digital signature. We will refer to these two authentication types as PKE-authentication and SIG-authentication, respectively. They are described in Fig. 2 (a) and (b), respectively. In Fig. 2, HDR is an ISAKMP header and the cookies CKY I and CKY R are set up in the header. SA is an SA (Security Association) payload with one or more proposals. A security association is a set of policy and keys used to protect information. The ISAKMP SA is the shared policy and keys used by the negotiating peers to protect their communication; the initiator may provide multiple proposals regarding SA while the responder must reply with only one. SAb is the entire body of the SA payload (minus the ISAKMP generic header). KE is a key-exchange payload which carries keying materials such as DH public values denoted by g x (generated by the initiator) and g y (generated by the responder). N I is the nonce payload of the initiator while N R is that of the responder. Likewise, ID I and ID R are their identity payloads, and SIG I and SIG R are their digitally-signed hash payloads. The hash payloads are pseudo-randomly computed from their nonces, DH public values, cookies, SAs, and IDs as HASH I = prf (SKEYID; g x kg y kcky I kcky R ksabkid I ) (1) HASH R = prf (SKEYID; g x kg y kcky R kcky I ksabkid R ) (2) where SKEYID is the output of a pseudo-random function; for PKE-authentication, while SKEYID = prf (hash (N I kn R ) ; CKY I kcky R ) (3) SKEYID = prf (N I kn R ; g xy ) (4) for SIG-authentication. k represents concatenation. HASH (1) is a hash of the certicate which the initiator is using to encrypt his/her nonce and identity. CERT is a certicate payload and the brackets [3] indicate that the content 3 is optional.
3 Initiator (I) HDR; SA; [HASH (1); ] KE ; ENC PK R (ID I ) ; ENC PK R (N I ) Responder (R)! HDR; SA; KE; HDR; HASH I! ENC PK I (ID R ) ; ENC PK I (N R ) ; HASH R (a) authenticated with public-key encryption (PKE-authentication) Initiator (I) Responder (R) HDR; SA; KE ; N I ; ID I! HDR; SA; KE ; NR ; ID R ; HDR; [CERT ; ] SIG I! [CERT] ; SIG R (b) authenticated with signatures (SIG-authentication) Initiator (I) HDR; SA; [HASH (1); ] ENC PK R (N I ) E KeI (KE) ; E KeI (ID I ) ; [E KeI (CERT)] Responder (R)! HDR; SA; ENC PK I (N R ) HDR; HASH I! E KeR (KE) ; E KeR (ID R ) ; HASH R (c) authenticated with public-key encryption (revised version: revised PKE-authentication) Fig. 2. ISAKMP/Oakley's Phase 1 authenticated by the use of public-key primitives (Aggressive Mode). ENC PK X indicates an encryption with the public key PK X of an entity X. E K is an encryption function of a private-key cipher where K represents an encryption key. Ke I and Ke R are ephemeral keys derived from the nonces and the cookies. The result of Aggressive Mode key-agreement is three groups of authenticated keying materials: SKEYID d = prf (SKEYID; g xy kcky I kcky R k0) (5) SKEYID a = prf (SKEYID; SKEYID d kg xy kcky I kcky R k1) (6) SKEYID e = prf (SKEYID; SKEYID a kg xy kcky I kcky R k2) (7) SKEYID e is used by the ISAKMP SA to protect its messages. SKEYID a is used by the ISAKMP SA to authenticate its messages. SKEYID d is used to derive keys for non-isakmp SAs. PKE-authentication requires two public-key encryption and decryption operations of both the initiator and the responder. The author of [6] modies it into a revised PKE-authentication which requires only one public-key encryption and decryption operation of each party while maintaining the security properties. The revised PKEauthentication is described in Fig. 2 (c). Ke I and Ke R are ephemeral keys derived from the nonces and the cookies. The rst step of the derivation is Ne I = prf (N I ; CKY I ) (8) Ne R = prf (N R ; CKY R ): (9) Then, if the desired length of Ke I is at most the length of Ne I, the sucient number of most signicant bits of Ne I is used as Ke I. If not, more bits are generated by applying the pseudo-random function prf with Ne I as the key and a byte of 0 as the input. The output of prf is then fed back into itself until sucient number of bits are obtained. For example, if the output of prf is 128-bit long and Ne I needs to be 320-bit long, then Ne I is the most signicant 320 bits of K, where K = K1 kk2 kk3 = prf (Ne I ; 0)kprf (Ne I ; K1 )kprf (Ne I ; K2 ) (10) Ke R is derived analogously. B. CPU-Exhaustion DoS Attack Aggressive Mode shown in the previous subsection is vulnerable to CPU-exhaustion DoS attack. In SIGauthentication, the protocol may require the responder to generate a digital signature with heavy computation before identifying the initiator. For example, RSA public-key primitives are recommended to be supported in ISAKMP/Oakley, and generation of RSA signatures costs much more than their verication due to the deployment of a relatively larger exponent in signature generation. This motivates a DoS attacker to launch tremendous number of arbitrary requests. Even if the signature generation is inexpensive, the responder must verify the signature for a fake acknowledgment message.
4 In PKE-authentication, the protocol requires the responder to decrypt two public-key encrypted payloads before identifying the initiator. Unfortunately, this decryption is also computationally expensive 1 and therefore can be abused by an attacker. Although the required number of decryption is reduced to be one, revised PKEauthentication can be attacked in the same scenario. A. Protocol IV. DoS-Resistant Resolution We consider how to enhance the resistance of SIGauthentication against DoS attacks. Specically, we introduce a modied hash payload in the acknowledgment from the initiator. This modied hash payload plays a role of the acknowledgment material in our basic strategy; a reconstructed RF material is used in the computation of the modied hash. The RF material is originally included in the reply from the responder implicitly. The proposed protocol is outlined in Fig. 3. We will refer to this protocol as revised SIG-authentication, in the following. In contrast to SIG-authentication, revised SIGauthentication is described as follows. 1. The rst message, a request from the initiator, is the same as that in SIG-authentication; the initiator sends ISAKMP header followed by SA, keying material, the initiator's nonce, and his ID. 2. The second message, a reply from the responder, is also the same as that in SIG-authentication but there is one restriction: to generate SIG R, the responder must use a signature scheme with the following properties: Expensive computation in signature generation can be completed in advance independent of the initiator, i.e., as a precomputation before receiving the request. The verication procedure includes reconstruction of an RF material R r. 3. In the computation of digitally-signed hash payloads, SKEYID is replaced with a one-way hashed value SKEYID 0 = hash(n I kn R ) which is random, fresh, but publicly-known. This does not change the security of the signature algorithm itself. If the initiator fears an attack with the replacement of the responder's public key, the certicate option is available to protect him/her from the attack. SKEYID e, SKEYID a, and SKEYID d are derived from the same SKEYID as in the conventional SIG-authentication. 4. In the computation of the initiator's digitally-signed hash payload, the hash payload is replaced with a modied hash payload. The modied hash is dened as HASH 3 I = prf (SKEYID 0 ; 1 For instance, RSA decryption costs much more than RSA encryption due to the deployment of a larger exponent. g x kg y kcky I kcky R kr r ksabkid I ). The acknowledgment message explicitly includes HASH 3 I; in the third acknowledgment message from the initiator, ISAKMP header is followed by the modied hash payload and the initiator's signature on it. A certicate payload CERT is optional. 5. On receiving the acknowledgment message, the responder rst checks whether the modied hash really uses the RF material R r. Then, if successful, he/she goes on to the signature verication procedure. 6. The signature scheme for SIG 3 I does not necessarily the same as that for SIG R ; SIG 3 I may use public and secret key pair whose relationship is dierent from that of (PK I ; SK I ) in Fig. 3. (PK I ; SK I ) is provided for the case when the initiator plays a responder's role in a dierent session. B. Formal Description By using the step number specied in Fig. 1, a more formal description of the proposed protocol is given as follows. ((Initiator's Keys)) Secret key: SK I 2 R [1; 2; ; q 0 2] Public key: PK I = g SK I mod p ((Responder's Keys)) Secret key: SK R 2 R [1; 2; ; q 0 2] Public key: PK R = g SK R mod p Step((1)) Each entity precomputes DH public values. Since the signature algorithm has computation steps which can be completed in advance, each entity carries out the precomputation and keeps the resultant RF materials. Step((2)) The initiator generates a request message as specied in SIG-authentication. A precomputed DH public value is used to create KE. Step((3)) The initiator sends the request message HDR, SA, KE, N I, ID I to the responder. Step((4)) The responder selects a proposal in SA, if necessary. The responder computes SKEYID 0 = hash(n I kn R ) and his/her hash payload HASH R = prf (SKEYID 0 ; g x kg y kcky R kcky I ksabkid R ). The responder generates his/her signature SIG R on HASH R. An RF material R r is used in the signaturegeneration and kept by the initiator to be used later again in Step ((8)). A precomputed DH public value is used to create KE. Step((5)) The responder sends his/her reply message HDR, SA, KE, N R, ID R, [CERT ; ] SIG R to the initiator. CERT is an optional certicate payload of SIG R.
5 Initiator (I) Responder (R) Secret key: SK I 2 R [1; 2; ; q 0 2] Secret key: SK R 2 R [1; 2; ; q 0 2] Public key: PK I = g SK I mod p Public key: PK R = g SK R mod p HDR; SA; KE; N I ; ID I! HDR; SA; KE ; N R ; ID R ; HDR; [CERT ; ] SIG 3 I, HASH 3 I! [CERT ; ] SIG R Fig. 3. ISAKMP/Oakley Phase 1 with DoS-resistant authentication (Aggressive Mode). The relationship between secret and public keys is an example for ElGamal-like signatures; p is a large prime and q is a large prime factor of p 0 1. g is a public integer with order q modulo p. SIG 3 I, HASH 3 I is a digitally-signed modied hash payload, which acts as the acknowledgment material in our basic strategy against DoS attack. Step((6)) According to the selected SA, the initiator veries the responder's signature SIG R. If successful, the initiator computes SKEYID 0 = hash(n I kn R ) and his/her modied hash payload HASH 3 I = prf (SKEYID 0 ; g x kg y kcky I kcky R kr r ksabkid I ), where R r is the RF material obtained in the signature-verication procedure. The initiator then computes his/her signature SIG 3 I on HASH 3 I. Step((7)) The initiator sends the acknowledgment message HDR, [CERT ; ] SIG 3 I, HASH 3 I to the responder. CERT is an optional certicate payload of SIG 3 I. Step((8)) The responder checks whether HASH 3 I is really constructed by using the correct RF material R r. If successful, the responder veries the initiator's signature SIG 3 I. Step((9)) If everything is successful, keying materials are nally established; from the DH public values, both the initiator and the responder compute and establish authenticated keying materials SKEYID = prf (N I kn R ; g xy ), SKEYID d = prf (SKEYID; g xy kcky I kcky R k0), SKEYID a = prf (SKEYID; SKEYID d kg xy kcky I kcky R k1); and SKEYID e = prf (SKEYID; SKEYID a kg xy kcky I kcky R k2). C. Examples In the following, we show two specic examples of revised SIG-authentication. The rst one is based on a shortened Digital Signature Standard (SDSS) [7]. As well as the original DSA (Digital Signature Algorithm) [8] or DSS (Digital Signature Standard) [9], the shortened DSS is unforgeable by adaptive attackers under the assumptions that discrete logarithm is hard and that the one-way hash function behaves like a random function [7], [10]. Precomputation by the responder: x r 2 R [1; 2; ; q 0 2], R r = g xr mod p Generation of the responder's signature: T R = hash (R r ; HASH R ) SIG R = (s 1 ; s 2 ) = (x r = (T R + SK R ) mod q; T R ) Verication of the responder's signature: ^R r = (g s2 1 PK R ) s 1 mod p. The initiator accepts the signature if and only if s 2 is equal to hash ^Rr ; HASH R. Computation of the modied hash: SKEYID 0 = hash(n I kn R ) HASH 3 I = prf (SKEYID 0 ; g x kg y kcky I kcky R k ^Rr ksabkid I ) Verication of the modied hash: The responder accepts the modied hash if and only if HASH 3 I is equal to prf (SKEYID 0 ; g x kg y kcky I kcky R kr r ksabkid I ). The second example is based on Schnorr's signature scheme [11]. Precomputation by the responder: x r 2 R [1; 2; ; q 0 2], R r = g xr mod p Generation of the responder's signature: T R = hash(hash R kr r ) SIG R = (s 1 ; s 2 ) = (SK R 1 T R + x r mod q; T R ) Verication of the responder's signature: ^R r = g s1 PK 0s 2 R mod p. The initiator accepts the signature if and only if s 2 is equal to hash(hash R k ^Rr ). Computation of the modied hash: SKEYID 0 = hash(n I kn R ) HASH 3 I = prf (SKEYID 0 ; g x kg y kcky I kcky R k ^Rr ksabkid I ) Verication of the modied hash: The responder accepts the modied hash if and only if HASH 3 I is equal to prf (SKEYID 0 ; g x kg y kcky I kcky R kr r ksabkid I ).
6 D. Evaluation Let us evaluate the DoS resistance in terms of the computational cost. The cost is measured by the total number of modular multiplications required for modular exponentiation. We classify DoS attackers into two types: (Type 1) An attacker who launches completely fake requests. (Type 2) An attacker who pays computational cost which is necessary for imposing modular exponentiation on the responder. In revised SIG-authentication, for example, the attacker should really verify the responder's signature in order to construct a correct modied hash. PKE-authentication, SIG-authentication, and revised PKE-authentication are implemented with famous encryption/signature schemes such as RSA, ElGamal, DSA, and Schnorr [4]. Regarding the cost of RSA, we ignore the cost of encryption or signature verication assuming that a relatively small exponent is used in RSA encryption or signature verication [7]. This allows better performance in the conventional schemes. Regarding the cost of modular exponentiation in RF-material generation, it is assumed that precomputation is available both for the attacker and for the responder. DH public values are also assumed to be precomputed. The computational cost is determined by the number of non-trivial modular multiplications and each multiplication costs in proportion to the size of the modulus (in bits). In the case of an attacker of Type 1, the computational cost per request is summarized as follows. Cost on the attacker's side: PKE-authentication (RSA): 0 PKE-authentication (ElGamal): 0 revised PKE-authentication (RSA): 0 revised PKE-authentication (ElGamal): 0 SIG-authentication (RSA): 0 SIG-authentication (ElGamal): 0 SIG-authentication (DSA): 0 SIG-authentication (Schnorr): 0 revised SIG-authentication (SDSS): 0 revised SIG-authentication (Schnorr): 0 Cost on the responder's side: PKE-authentication (RSA): 0:375jnj = 384 PKE-authentication (ElGamal): 1:5jpj = 1536 revised PKE-authentication (RSA): 0:375jnj = 384 revised PKE-authentication (ElGamal): 1:5jpj = 1536 SIG-authentication (RSA): 0:375jnj = 384 SIG-authentication (ElGamal): 4:5jpj = 4608 SIG-authentication (DSA): 3jqj = 480 SIG-authentication (Schnorr): 3jqj = 480 revised SIG-authentication (SDSS): 0 revised SIG-authentication (Schnorr): 0 where n is the RSA composite and jnj indicates the size of it (in bits). Recommended sizes are, say, jnj = jpj = 1024 and jqj = 160. The numerical results are based on this assignment. In revised SIG-authentication, dierent from the conventional authentications, the responder does not have to pay expensive cost for the requests from attackers of Type 1 who cannot send a correct modied hash. In the case of an attacker of Type 2, the verication cost of the responder's signature is estimated by assuming the help of simultaneous multiple exponentiation (SME), which is attributed by ElGamal [12] to Shamir and well summarized in [4]. This assumption reduces the cost on the attacker's side. By contrast, the attacker's signature is not assumed to be veried with the help of SME. This is because the responder does not want to pay precomputation cost for SME in preparation for Type 1 attackers. It should be noted that the responder does not know whether the attacker is of Type 1 or of Type 2 in advance. The computational cost per request is then summarized as follows. Cost on the attacker's side: PKE-authentication (RSA): 0 PKE-authentication (ElGamal): 0 revised PKE-authentication (RSA): 0 revised PKE-authentication (ElGamal): 0 SIG-authentication (RSA): 0 SIG-authentication (ElGamal): 0 SIG-authentication (DSA): 0 SIG-authentication (Schnorr): 0 revised SIG-authentication (SDSS): 1:75jqj = 280 revised SIG-authentication (Schnorr): 1:75jqj = 280 Cost on the responder's side: PKE-authentication (RSA): 0:375jnj = 384 PKE-authentication (ElGamal): 1:5jpj = 1536 revised PKE-authentication (RSA): 0:375jnj = 384 revised PKE-authentication (ElGamal): 1:5jpj = 1536 SIG-authentication (RSA): 0:375jnj = 384 SIG-authentication (ElGamal): 4:5jpj = 4608 SIG-authentication (DSA): 3jqj = 480 SIG-authentication (Schnorr): 3jqj = 480 revised SIG-authentication (SDSS): 3jqj = 480 revised SIG-authentication (Schnorr): 3jqj = 480 The attacker of Type 2 does not have to pay computational cost in the conventional authentications, while revised SIG-authentication imposes computational cost which is 1:75jqj = 58:3% 3jqj of that on the responder's side. Thus the attacker must exhaust the same order of computational resource if he/she wants to exhaust the responder's resource.
7 It should be noted that revised SIG-authentication does not reduce the eciency in a normal situation where no DoS-attackers appear; neither computational load nor communication overhead. In SIG-authentication with Schnorr's signature or DSA, anyway, the initiator constructs hash payload and the responder checks it. The dierence is in whether an intermediate variable obtained during the signature-verication procedure is used as an additional input to the initiator's hash payload or not. In conclusion, the revised SIG-authentication is the most DoS-resistant with keeping the eciency of Aggressive Mode. A. Assumption V. Discussion on Security In the proposed protocol, security of secret keys relies on the hardness of discrete-logarithm (DL) problem. Let us consider whether this requires an additional assumption or not. ISAKMP/Oakley in itself is not devoted to any specic encryption/signature schemes. However, it is restricted to the use of DH public values for keying. This means that the diculty of DL problem is assumed in the security consideration of ISAKMP/Oakley since the DH problem is at most as hard as the DL problem [13]. Hence we can say that the proposed version does not require any additional assumption regarding the security in that sense. B. Memory Exhaustion When the responder has sucient memory such that precomputed values are never exhausted, the proposed protocol alone well defeats DoS attacks. When insucient, specic DoS-resistance is not trivial although the proposed falling-together strategy allows us to assume memory exhaustion is more signicant than CPU exhaustion. Aiming at DoS-resistance regarding memory exhaustion, we can use network ingress lter (NIF) [14]. NIF routers restrict outgoing trac to known valid prexes. This subsection studies how signicantly our proposal and NIF contribute to the system availability. (Model) NIF limits the amount of bogus packets per attack. We assume that the attackers use the same number (M) of bogus requests per attack. The proposed strategy in keyagreement protocol reduces the damage caused by bogus requests; responders have only to pay for precomputation. We can interpret the cost-reduction eect by replacing M with M where 1. We will refer to as costreduction coecient. For simplicity, the following analysis deals with the most pessimistic situation such that = 1. It should be noted that the falling-together strategy would give better DoS-resistance if the implementation is optimized to reduce the cost-reduction coecient. The analysis considers a statistically equilibrated model whose state-transition diagram is illustrated in Fig. 4. As typical parameter assignment, we use Fig. 4. State-transition diagram of a responder in an ingress-ltered network. Each state is represented by the number of available sets of precomputed materials. C = as responder's memory capacity for precomputed materials, R = 0:001 as rate of valid request, and M = 256 as the number of bogus requests per attack. Precomputation power U was kept constant as a time unit. We considered the same security level as in the previous section, i.e., jpj = 1024 and jqj = 160. So if the performance level is in the order of several hundreds Kbps for public-key primitives, C = corresponds to a few MB memory. In this case, R = 0:001 causes a few valid requests per minute. We can interpret the state-transition diagram into a set of equations as follows. dp C dt = UP C01 0 (D + R)P C (11) dp i dt = UP i01 0 (D + R + U)P i + RP i+1 (12) (C 0 M < i < C) dp i dt = UP i01 0 (D + R + U)P i + RP i+1 + DP i+m (13) dp 0 dt = 0UP 0 + RP 1 + D CX j=0 (0 < i C 0 M) MX j=1 P j (14) P j = 1 (15)
8 Blocking Probability Po [%] Rate of Bogus Request Fig. 5. Blocking probability as a function of rate of attack when each attack is composed of M = 256 bogus requests. The cost-reduction coecient is assumed to be 1. where P i is the probability that the server is in state i and D represents the rate of bogus request. When statistically equilibrated, we can set each derivative dpi dt to be zero. Thus P 0, P 1, 1 1 1, P C can be computed by solving the resultant following linear equations. UP C01 0 (D + R)P C = 0 (16) UP i01 0 (D + R + U)P i + RP i+1 = 0 (17) (C 0 M < i < C) UP i01 0 (D + R + U)P i + RP i+1 + DP i+m = 0 (18) (0 < i C 0 M) CX j=0 P j = 1 (19) where P i is the probability that the responder is in state i. P 0 is called blocking probability since precomputed materials are exhausted in state 0. Results Figure 5 shows blocking probability P 0 as a function of rate of attack D. The blocking probability P 0 is lower than 10% even if the rate of attack D is 0.1. This suggests the responder is usually alive even when attacked by several hundred sets of bogus requests per minute. VI. Concluding Remarks A \falling-together" strategy was used to construct a DoS-resistant resolution of three-pass ISAKMP/Oakley key-agreement (Phase 1). As a result, attackers fear their own resource exhaustion. Thus we obtain a deterrent to DoS attacks. If we consider key-agreement protocols in upper layers, one may argue that DoS protection should rely not on key-agreement protocols but on a lower-layer mechanism. In the development of the next-generation Internet, however, even a network-layer protocol is going to be equipped with security mechanisms including public-key cryptography. This motivated us to modify a currently known versions of ISAKMP/Oakley or IKE in IPv6; the proposed version provides a signicantly better resistance against CPU-exhaustion attack in IP layer itself. In our analysis, memory exhaustion was also considered in a non-optimized ingress-ltered network. For typical parameter assignment, the responder is usually alive even when attacked by several hundred sets of bogus requests per minute. If the implementation is optimized to make better use of the falling-together strategy for costreduction on the responder's side, DoS-resistance would be more signicantly improved. References [1] D. Harkins and D. Carrel, \The resolution of ISAKMP with Oakley," Internet Draft, draft-ietf-ipsec-isakmp-oakley-33.txt [2] D. Harkins and D. Carrel, \The Internet Key Exchange (IKE), " rfc2409, Nov [3] W. Die and M. Hellman, \New directions in cryptography," IEEE Trans. Information Theory, vol. IT-22, no. 6, pp. 644{ 654, [4] A. Menezes, P. van Oorschot, and S. Vanstone, Handbook of Applied Cryptography, CRC Press, Inc., Boca Raton, Florida, [5] K. Matsuura and H. Imai, \Protection of authenticated keyagreement protocol against a denial-of-service attack," Proceedings of 1998 International Symposium on Information Theory and Its Applications (ISITA'98), pp. 466{470, Oct [6] R. Canetti, P. Cheng, and H. Krawczyk, \A revised encryption mode for ISAKMP/Oakley," Internet Draft, draft-ietf-ipsecrevised-enc-mode-01.txt, July [7] Y. Zheng, \Digital Signcryption or How to Achieve Cost(Signature & Encryption) << Cost(Signature) + Cost(Encryption)," in Advances in Cryptology Crypto'97, Aug. 1997, Lecture Notes in Computer Science 1294, pp. 165{ 179, Springer-Verlag. [8] D. W. Kravitz, \Digital signature algorithm," U. S. Patent # 5,231,668, July [9] FIPS 186, \Digital Signature Standard," Federal Information Processing Standards Publication FIPS PUB 186, 1994, U. S. Department of Commerce/N.I.S.T., National Technical Information Service. [10] D. Pointcheval and J. Stern, \Security proofs for signature schemes," in Advances in Cryptology EUROCRYPT'96, U. Maurer, Ed., 1996, pp. 387{398, Springer-Verlag, Lecture Notes in Computer Science [11] C. P. Schnorr, \Ecient signature generation by smart cards," Journal of Cryptology, vol. 4, pp. 161{174, [12] T. ElGamal, \A public key cryptosystem and a signature scheme based on discrete logarithms," IEEE Trans. Information Theory, vol. IT-31, no. 4, pp. 469{472, [13] U. M. Maurer and S. Wolf, \Die-Hellman oracles"," in Advances in Cryptology CRYPTO'96, N. Koblitz, Ed., Aug. 1996, pp. 268{282, Springer-Verlag, Lecture Notes in Computer Science [14] P. Ferguson and D. Senie, \Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoong," rfc2267, Jan
3. Use the RF material for authentication. 4. Carry an acknowledgment material derived from the reconstructed RF material by Acknowledgment Message ((
Modication of Internet Key Exchange Resistant against Denial-of-Service Kanta Matsuura and Hideki Imai Institute of Industrial Science, University of Tokyo, Roppongi 7-22-1, Minato-ku, Tokyo 106-8558,
More informationthe validity of the signature can be checked by anyone who has knowledge of the sender's public key. In the signcryption scheme of [4], the unsigncryp
A Signcryption Scheme with Signature Directly Veriable by Public Key Feng Bao and Robert H. Deng Institute of Systems Science National University of Singapore Kent Ridge, Singapore 119597 Email: fbaofeng,
More informationOutline. Key Management. Security Principles. Security Principles (Cont d) Escrow Foilage Protection
Outline CSCI 454/554 Computer and Network Security Topic 8.2 Internet Key Management Key Management Security Principles Internet Key Management Manual Exchange SKIP Oakley ISAKMP IKE 2 Key Management Why
More informationCSCI 454/554 Computer and Network Security. Topic 8.2 Internet Key Management
CSCI 454/554 Computer and Network Security Topic 8.2 Internet Key Management Outline Key Management Security Principles Internet Key Management Manual Exchange SKIP Oakley ISAKMP IKE 2 Key Management Why
More informationOutline. Key Management. CSCI 454/554 Computer and Network Security. Key Management
CSCI 454/554 Computer and Network Security Topic 8.2 Internet Key Management Key Management Outline Security Principles Internet Key Management Manual Exchange SKIP Oakley ISAKMP IKE 2 Key Management Why
More informationCSC/ECE 574 Computer and Network Security. Outline. Key Management. Key Management. Internet Key Management. Why do we need Internet key management
Computer Science CSC/ECE 574 Computer and Network Security Topic 8.2 Internet Key Management CSC/ECE 574 Dr. Peng Ning 1 Outline Key Management Security Principles Internet Key Management Manual Exchange
More informationOutline. CSC/ECE 574 Computer and Network Security. Key Management. Security Principles. Security Principles (Cont d) Internet Key Management
Outline Computer Science CSC/ECE 574 Computer and Network Security Topic 8.2 Internet Key Management Key Management Security Principles Internet Key Management Manual Exchange SKIP Oakley ISAKMP IKE CSC/ECE
More informationA SIGNATURE ALGORITHM BASED ON DLP AND COMPUTING SQUARE ROOTS
A SIGNATURE ALGORITHM BASED ON DLP AND COMPUTING SQUARE ROOTS Ounasser Abid 1 and Omar Khadir 2 1, 2 Laboratory of Mathematics, Cryptography and Mechanics, FSTM University Hassan II of Casablanca, Morocco
More informationDr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010
Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Photuris and SKIP PHASE 1 IKE PHASE 2 IKE How is SA established? How do parties negotiate
More informationCIS 6930/4930 Computer and Network Security. Topic 8.2 Internet Key Management
CIS 6930/4930 Computer and Network Security Topic 8.2 Internet Key Management 1 Key Management Why do we need Internet key management AH and ESP require encryption and authentication keys Process to negotiate
More informationPublic Key Algorithms
Public Key Algorithms 1 Public Key Algorithms It is necessary to know some number theory to really understand how and why public key algorithms work Most of the public key algorithms are based on modular
More informationCSC Network Security
CSC 774 -- Network Security Topic 5.1: IKE Dr. Peng Ning CSC 774 Network Security 1 IKE Overview IKE = ISAKMP + part of OAKLEY + part of SKEME ISAKMP determines How two peers communicate How these messages
More informationDiffie-Hellman Protocol as a Symmetric Cryptosystem
IJCSNS International Journal of Computer Science and Network Security, VOL.18 No.7, July 2018 33 Diffie-Hellman Protocol as a Symmetric Cryptosystem Karel Burda, Brno University of Technology, Brno, Czech
More informationCSC Network Security
CSC 774 -- Network Security Topic 3.1: IKE Dr. Peng Ning CSC 774 Network Security 1 IKE Overview IKE = ISAKMP + part of OAKLEY + part of SKEME ISAKMP determines How two peers communicate How these messages
More informationOn the Diculty of Software Key Escrow. Abstract. At Eurocrypt'95, Desmedt suggested a scheme which allows individuals to encrypt
On the Diculty of Software Key Escrow Lars R. Knudsen Katholieke Universiteit Leuven Dept. Elektrotechniek-ESAT Kardinaal Mercierlaan 94 B-3001 Heverlee Torben P. Pedersen y Cryptomathic Arhus Science
More informationECC Based IKE Protocol Design for Internet Applications
Available online at www.sciencedirect.com Procedia Technology 4 (2012 ) 522 529 C3IT-2012 ECC Based IKE Protocol Design for Internet Applications Sangram Ray a, Rachana Nandan a, G. P. Biswas a a Dept.
More informationThe most important development from the work on public-key cryptography is the digital signature. Message authentication protects two parties who
1 The most important development from the work on public-key cryptography is the digital signature. Message authentication protects two parties who exchange messages from any third party. However, it does
More informationChapter 11 The IPSec Security Architecture for the Internet Protocol
Chapter 11 The IPSec Security Architecture for the Internet Protocol IPSec Architecture Security Associations AH / ESP IKE [NetSec], WS 2008/2009 11.1 The TCP/IP Protocol Suite Application Protocol Internet
More informationL13. Reviews. Rocky K. C. Chang, April 10, 2015
L13. Reviews Rocky K. C. Chang, April 10, 2015 1 Foci of this course Understand the 3 fundamental cryptographic functions and how they are used in network security. Understand the main elements in securing
More informationPKCS #3: Diffie-Hellman Key-Agreement
1 of 6 5/19/2006 1:04 PM PKCS #3: Diffie-Hellman Key-Agreement Standard An RSA Laboratories Technical Note Version 1.4 Revised November 1, 1993 * 1. Scope This standard describes a method for implementing
More informationNetwork Working Group Request for Comments: 4419 Category: Standards Track March 2006
Network Working Group Request for Comments: 4419 Category: Standards Track M. Friedl N. Provos W. Simpson March 2006 Status of This Memo Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport
More informationThe IPSec Security Architecture for the Internet Protocol
Chapter 11 The IPSec Security Architecture for the Internet Protocol [NetSec], WS 2005/2006 11.1 Overview Brief introduction to the Internet Protocol (IP) suite Security problems of IP and objectives of
More informationKey Agreement. Guilin Wang. School of Computer Science, University of Birmingham
Key Agreement Guilin Wang School of Computer Science, University of Birmingham G.Wang@cs.bham.ac.uk 1 Motivations As we know, symmetric key encryptions are usually much more efficient than public key encryptions,
More informationPKCS #3: Diffie-Hellman Key- Agreement Standard
PKCS #3: Diffie-Hellman Key- Agreement Standard An RSA Laboratories Technical Note Version 1.4 Revised November 1, 1993 * 1. Scope This standard describes a method for implementing Diffie-Hellman key agreement,
More informationINFS 766 Internet Security Protocols. Lectures 7 and 8 IPSEC. Prof. Ravi Sandhu IPSEC ROADMAP
INFS 766 Internet Security Protocols Lectures 7 and 8 IPSEC Prof. Ravi Sandhu IPSEC ROADMAP Security Association IP AH (Authentication Header) Protocol IP ESP (Encapsulating Security Protocol) Authentication
More informationUNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering. Introduction to Cryptography ECE 597XX/697XX
UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering Introduction to Cryptography ECE 597XX/697XX Part 10 Digital Signatures Israel Koren ECE597/697 Koren Part.10.1 Content of this part
More informationCSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography
CSCI 454/554 Computer and Network Security Topic 5.2 Public Key Cryptography Outline 1. Introduction 2. RSA 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard 2 Introduction Public Key Cryptography
More informationA Limitation of BAN Logic Analysis on a Man-in-the-middle Attack
ISS 1746-7659, England, U Journal of Information and Computing Science Vol. 1, o. 3, 2006, pp. 131-138 Limitation of Logic nalysis on a Man-in-the-middle ttack + Shiping Yang, Xiang Li Computer Software
More informationChannel Coding and Cryptography Part II: Introduction to Cryptography
Channel Coding and Cryptography Part II: Introduction to Cryptography Prof. Dr.-Ing. habil. Andreas Ahrens Communications Signal Processing Group, University of Technology, Business and Design Email: andreas.ahrens@hs-wismar.de
More informationOutline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA
CSCI 454/554 Computer and Network Security Topic 5.2 Public Key Cryptography 1. Introduction 2. RSA Outline 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard 2 Introduction Public Key Cryptography
More informationProvable Partial Key Escrow
Provable Partial Key Escrow Kooshiar Azimian Electronic Research Center, Sharif University of Technology, and Computer Engineering Department, Sharif University of Technology Tehran, Iran Email: Azimian@ce.sharif.edu
More informationOutline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)
Outline AIT 682: Network and Systems Security 1. Introduction 2. RSA 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard Topic 5.2 Public Key Cryptography Instructor: Dr. Kun Sun 2 Public Key
More informationIntroduction to Cryptography Lecture 7
Introduction to Cryptography Lecture 7 Public-Key Encryption: El-Gamal, RSA Benny Pinkas page 1 1 Public key encryption Alice publishes a public key PK Alice. Alice has a secret key SK Alice. Anyone knowing
More informationCategory: Informational March Methods for Avoiding the "Small-Subgroup" Attacks on the Diffie-Hellman Key Agreement Method for S/MIME
Network Working Group R. Zuccherato Request for Comments: 2785 Entrust Technologies Category: Informational March 2000 Methods for Avoiding the "Small-Subgroup" Attacks on the Diffie-Hellman Key Agreement
More informationEfficient Compilers for Authenticated Group Key Exchange
Efficient Compilers for Authenticated Group Key Exchange Qiang Tang and Chris J. Mitchell Information Security Group, Royal Holloway, University of London Egham, Surrey TW20 0EX, UK {qiang.tang, c.mitchell}@rhul.ac.uk
More informationIPsec (AH, ESP), IKE. Guevara Noubir CSG254: Network Security
IPsec (AH, ESP), IKE Guevara Noubir noubir@ccs.neu.edu Securing Networks Control/Management (configuration) Applications Layer telnet/ftp: ssh, http: https, mail: PGP (SSL/TLS) Transport Layer (TCP) (IPSec,
More informationIntroduction to Cryptography and Security Mechanisms: Unit 5. Public-Key Encryption
Introduction to Cryptography and Security Mechanisms: Unit 5 Public-Key Encryption Learning Outcomes Explain the basic principles behind public-key cryptography Recognise the fundamental problems that
More informationDigital Signatures. Luke Anderson. 7 th April University Of Sydney.
Digital Signatures Luke Anderson luke@lukeanderson.com.au 7 th April 2017 University Of Sydney Overview 1. Digital Signatures 1.1 Background 1.2 Basic Operation 1.3 Attack Models Replay Naïve RSA 2. PKCS#1
More informationThis chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest
1 2 3 This chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest PKCS, Diffie- Hellman key exchange. This first published
More informationSpeed-ups of Elliptic Curve-Based
Speed-ups of Elliptic Curve-Based Schemes René Struik independent e-mail: rstruik.ext@gmail.com IETF-78 Maastricht The Netherlands July 25-30, 2010 Results based on work conducted at Certicom Research
More informationElliptic Curve Cryptography
Elliptic Curve Cryptography Dimitri Dimoulakis, Steve Jones, and Lee Haughton May 05 2000 Abstract. Elliptic curves can provide methods of encryption that, in some cases, are faster and use smaller keys
More informationIP Security II. Overview
IP Security II Dr. Arjan Durresi Louisiana State University Baton Rouge, LA 70810 Durresi@csc.lsu.Edu These slides are available at: http://www.csc.lsu.edu/~durresi/csc4601-04/ Louisiana State University
More informationImproving and Extending the Lim/Lee Exponentiation Algorithm
Improving and Extending the Lim/Lee Exponentiation Algorithm Biljana Cubaleska 1, Andreas Rieke 2, and Thomas Hermann 3 1 FernUniversität Hagen, Department of communication systems Feithstr. 142, 58084
More informationPublic-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7
Public-Key Cryptography Professor Yanmin Gong Week 3: Sep. 7 Outline Key exchange and Diffie-Hellman protocol Mathematical backgrounds for modular arithmetic RSA Digital Signatures Key management Problem:
More informationLECTURE NOTES ON PUBLIC- KEY CRYPTOGRAPHY. (One-Way Functions and ElGamal System)
Department of Software The University of Babylon LECTURE NOTES ON PUBLIC- KEY CRYPTOGRAPHY (One-Way Functions and ElGamal System) By College of Information Technology, University of Babylon, Iraq Samaher@itnet.uobabylon.edu.iq
More informationVerification of Security Protocols
Verification of Security Protocols Chapter 12: The JFK Protocol and an Analysis in Applied Pi Christian Haack June 16, 2008 Exam When? Monday, 30/06, 14:00. Where? TUE, Matrix 1.44. Scheduled for 3 hours,
More informationCSC 474/574 Information Systems Security
CSC 474/574 Information Systems Security Topic 2.5 Public Key Algorithms CSC 474/574 Dr. Peng Ning 1 Public Key Algorithms Public key algorithms covered in this class RSA: encryption and digital signature
More informationInternet Engineering Task Force Mark Baugher(Cisco) Expires: April, 2003 October, 2002
Internet Engineering Task Force Mark Baugher(Cisco) INTERNET-DRAFT Thomas Hardjono (Verisign) Category: Standards Track Hugh Harney (Sparta) Document: draft-ietf-msec-gdoi-06.txt Brian Weis (Cisco) Expires:
More informationdraft-ietf-ipsec-nat-t-ike-01.txt W. Dixon, B. Swander Microsoft V. Volpe Cisco Systems L. DiBurro Nortel Networks 23 October 2001
IP Security Protocol Working Group (IPSEC) INTERNET-DRAFT draft-ietf-ipsec-nat-t-ike-01.txt Expires: 23 April 2001 T. Kivinen, M. Stenberg SSH Communications Security A. Huttunen F-Secure Corporation W.
More informationDr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010
CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Public Key Cryptography Modular Arithmetic RSA
More informationThe Internet community has developed application-specific security mechanisms in a number of application areas, including electronic mail (S/MIME,
1 The Internet community has developed application-specific security mechanisms in a number of application areas, including electronic mail (S/MIME, PGP), client/server (Kerberos), Web access (Secure Sockets
More informationSecure Key-Evolving Protocols for Discrete Logarithm Schemes
Secure Key-Evolving Protocols for Discrete Logarithm Schemes Cheng-Fen Lu and ShiuhPyng Winston Shieh Computer Science and Information Engineering Department National Chiao Tung University, Taiwan 30050
More informationdraft-ietf-ipsec-nat-t-ike-00.txt W. Dixon, B. Swander Microsoft V. Volpe Cisco Systems L. DiBurro Nortel Networks 10 June 2001
IP Security Protocol Working Group (IPSEC) INTERNET-DRAFT draft-ietf-ipsec-nat-t-ike-00.txt Expires: 10 December 2001 T. Kivinen, M. Stenberg SSH Communications Security A. Huttunen F-Secure Corporation
More informationOther Systems Using Timing Attacks. Paul C. Kocher? EXTENDED ABSTRACT (7 December 1995)
Cryptanalysis of Die-Hellman, RSA, DSS, and Other Systems Using Timing Attacks Paul C. Kocher? EXTENDED ABSTRACT (7 December 1995) Since many existing security systems can be broken with timing attacks,
More informationIntroduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell
Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell 1 Cryptography Merriam-Webster Online Dictionary: 1. secret writing 2. the enciphering and deciphering
More informationCryptography V: Digital Signatures
Cryptography V: Digital Signatures Computer Security Lecture 12 David Aspinall School of Informatics University of Edinburgh 19th February 2009 Outline Basics Constructing signature schemes Security of
More informationSecurity of the Lin-Lai smart card based user authentication scheme
Security of the Lin-Lai smart card based user authentication scheme Chris J. Mitchell and Qiang Tang Technical Report RHUL MA 2005 1 27 January 2005 Royal Holloway University of London Department of Mathematics
More informationThis is an author produced version of Security Analysis of Integrated Diffie-Hellman Digital Signature Algorithm Protocols.
This is an author produced version of Security nalysis of Integrated Diffie-Hellman Digital Signature lgorithm Protocols. White Rose Research Online URL for this paper: http://eprints.whiterose.ac.uk/119028/
More informationCryptography V: Digital Signatures
Cryptography V: Digital Signatures Computer Security Lecture 10 David Aspinall School of Informatics University of Edinburgh 10th February 2011 Outline Basics Constructing signature schemes Security of
More informationProtocols for Authenticated Oblivious Transfer
Protocols for Authenticated Oblivious Transfer Mehrad Jaberi, Hamid Mala Department of Computer Engineering University of Isfahan Isfahan, Iran mehrad.jaberi@eng.ui.ac.ir, h.mala@eng.ui.ac.ir Abstract
More informationIntroduction to Cryptography Lecture 7
Introduction to Cryptography Lecture 7 El Gamal Encryption RSA Encryption Benny Pinkas page 1 1 Public key encryption Alice publishes a public key PK Alice. Alice has a secret key SK Alice. Anyone knowing
More informationLecture 2 Applied Cryptography (Part 2)
Lecture 2 Applied Cryptography (Part 2) Patrick P. C. Lee Tsinghua Summer Course 2010 2-1 Roadmap Number theory Public key cryptography RSA Diffie-Hellman DSA Certificates Tsinghua Summer Course 2010 2-2
More informationKurose & Ross, Chapters (5 th ed.)
Kurose & Ross, Chapters 8.2-8.3 (5 th ed.) Slides adapted from: J. Kurose & K. Ross \ Computer Networking: A Top Down Approach (5 th ed.) Addison-Wesley, April 2009. Copyright 1996-2010, J.F Kurose and
More informationח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms
Public Key Cryptography Kurose & Ross, Chapters 8.28.3 (5 th ed.) Slides adapted from: J. Kurose & K. Ross \ Computer Networking: A Top Down Approach (5 th ed.) AddisonWesley, April 2009. Copyright 19962010,
More informationOn the Security of a Certificateless Public-Key Encryption
On the Security of a Certificateless Public-Key Encryption Zhenfeng Zhang, Dengguo Feng State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences, Beijing 100080,
More informationPrime Field over Elliptic Curve Cryptography for Secured Message Transaction
Available Online at www.ijcsmc.com International Journal of Computer Science and Mobile Computing A Monthly Journal of Computer Science and Information Technology ISSN 2320 088X IMPACT FACTOR: 5.258 IJCSMC,
More informationImproved Delegation Of Computation Using Somewhat Homomorphic Encryption To Reduce Storage Space
Improved Delegation Of Computation Using Somewhat Homomorphic Encryption To Reduce Storage Space Dhivya.S (PG Scholar) M.E Computer Science and Engineering Institute of Road and Transport Technology Erode,
More informationElliptic Curve Cryptosystem
UDC 681.8 Elliptic Curve Cryptosystem VNaoya Torii VKazuhiro Yokoyama (Manuscript received June 6, 2000) This paper describes elliptic curve cryptosystems (ECCs), which are expected to become the next-generation
More informationIP Security Protocol Working Group (IPSEC) draft-ietf-ipsec-nat-t-ike-03.txt. B. Swander Microsoft V. Volpe Cisco Systems 24 June 2002
IP Security Protocol Working Group (IPSEC) INTERNET-DRAFT draft-ietf-ipsec-nat-t-ike-03.txt Expires: 24 December 2002 T. Kivinen SSH Communications Security A. Huttunen F- Secure Corporation B. Swander
More informationChapter 9 Public Key Cryptography. WANG YANG
Chapter 9 Public Key Cryptography WANG YANG wyang@njnet.edu.cn Content Introduction RSA Diffie-Hellman Key Exchange Introduction Public Key Cryptography plaintext encryption ciphertext decryption plaintext
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 4, 2017 CPSC 467, Lecture 11 1/39 ElGamal Cryptosystem Message Integrity and Authenticity Message authentication codes
More informationThe Beta Cryptosystem
Bulletin of Electrical Engineering and Informatics Vol. 4, No. 2, June 2015, pp. 155~159 ISSN: 2089-3191 155 The Beta Cryptosystem Chandrashekhar Meshram Department of Mathematics, RTM Nagpur University,
More informationDigital Signature. Raj Jain
Digital Signature Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-14/
More informationCryptography. Lecture 12. Arpita Patra
Cryptography Lecture 12 Arpita Patra Digital Signatures q In PK setting, privacy is provided by PKE q Integrity/authenticity is provided by digital signatures (counterpart of MACs in PK world) q Definition:
More informationNew attacks on the MacDES MAC Algorithm. 1st July Two new attacks are given on a CBC-MAC algorithm due to Knudsen and Preneel, [2],
New attacks on the MacDES MAC Algorithm Don Coppersmith IBM Research T. J. Watson Research Center Yorktown Heights, NY 10598, USA copper@watson.ibm.com Chris J. Mitchell Information Security Group Royal
More informationCryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1
Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography CS555 Spring 2012/Topic 16 1 Outline and Readings Outline Private key management between two parties Key management
More informationPublic Key Cryptography
Public Key Cryptography Giuseppe F. Italiano Universita` di Roma Tor Vergata italiano@disp.uniroma2.it Motivation Until early 70s, cryptography was mostly owned by government and military Symmetric cryptography
More informationVPN Overview. VPN Types
VPN Types A virtual private network (VPN) connection establishes a secure tunnel between endpoints over a public network such as the Internet. This chapter applies to Site-to-site VPNs on Firepower Threat
More informationCSE 127: Computer Security Cryptography. Kirill Levchenko
CSE 127: Computer Security Cryptography Kirill Levchenko October 24, 2017 Motivation Two parties want to communicate securely Secrecy: No one else can read messages Integrity: messages cannot be modified
More informationAuthenticated Key Agreement without Subgroup Element Verification
Authenticated Key Agreement without Subgroup Element Verification Taekyoung Kwon Sejong University, Seoul 143-747, Korea E-mail: tkwon@sejong.ac.kr Abstract. In this paper, we rethink the security of authenticated
More informationChapter 6. IP Security. Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University
Chapter 6 IP Security Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University +91 9426669020 bhargavigoswami@gmail.com Topic List 1. IP Security Overview 2. IP Security Architecture 3.
More informationEncryption. INST 346, Section 0201 April 3, 2018
Encryption INST 346, Section 0201 April 3, 2018 Goals for Today Symmetric Key Encryption Public Key Encryption Certificate Authorities Secure Sockets Layer Simple encryption scheme substitution cipher:
More informationKey Agreement Schemes
Key Agreement Schemes CSG 252 Lecture 9 November 25, 2008 Riccardo Pucella Key Establishment Problem PK cryptosystems have advantages over SK cryptosystems PKCs do not need a secure channel to establish
More informationInternet security and privacy
Internet security and privacy IPsec 1 Layer 3 App. TCP/UDP IP L2 L1 2 Operating system layers App. TCP/UDP IP L2 L1 User process Kernel process Interface specific Socket API Device driver 3 IPsec Create
More informationSecurity Analysis of Shim s Authenticated Key Agreement Protocols from Pairings
Security Analysis of Shim s Authenticated Key Agreement Protocols from Pairings Hung-Min Sun and Bin-san Hsieh Department of Computer Science, National sing Hua University, Hsinchu, aiwan, R.O.C. hmsun@cs.nthu.edu.tw
More informationNetwork Security - ISA 656 IPsec IPsec Key Management (IKE)
Network Security - ISA 656 IPsec IPsec (IKE) Angelos Stavrou September 28, 2008 What is IPsec, and Why? What is IPsec, and Why? History IPsec Structure Packet Layout Header (AH) AH Layout Encapsulating
More informationCS408 Cryptography & Internet Security
CS408 Cryptography & Internet Security Lectures 16, 17: Security of RSA El Gamal Cryptosystem Announcement Final exam will be on May 11, 2015 between 11:30am 2:00pm in FMH 319 http://www.njit.edu/registrar/exams/finalexams.php
More informationDistributed ID-based Signature Using Tamper-Resistant Module
, pp.13-18 http://dx.doi.org/10.14257/astl.2013.29.03 Distributed ID-based Signature Using Tamper-Resistant Module Shinsaku Kiyomoto, Tsukasa Ishiguro, and Yutaka Miyake KDDI R & D Laboratories Inc., 2-1-15,
More informationmoment (due to problems of auxiliary memory): another weak point is the associated cost. A possible alternative solution is to use an auxiliary unit (
Secure acceleration of DSS signatures using insecure server Philippe Beguin? Jean-Jacques Quisquater Philippe.Beguin@ens.fr Quisquater@dice.ucl.ac.be Laboratoire d'informatique?? Laboratoire DICE Ecole
More informationStateful Key Encapsulation Mechanism
Stateful Key Encapsulation Mechanism Peng Yang, 1 Rui Zhang, 2 Kanta Matsuura 1 and Hideki Imai 2 The concept of stateful encryption was introduced to reduce computation cost of conventional public key
More informationVPNs and VPN Technologies
C H A P T E R 1 VPNs and VPN Technologies This chapter defines virtual private networks (VPNs) and explores fundamental Internet Protocol Security (IPSec) technologies. This chapter covers the following
More informationT Cryptography and Data Security
T-79.4501 Cryptography and Data Security Lecture 10: 10.1 Random number generation 10.2 Key management - Distribution of symmetric keys - Management of public keys Stallings: Ch 7.4; 7.3; 10.1 1 The Use
More information1. Diffie-Hellman Key Exchange
e-pgpathshala Subject : Computer Science Paper: Cryptography and Network Security Module: Diffie-Hellman Key Exchange Module No: CS/CNS/26 Quadrant 1 e-text Cryptography and Network Security Objectives
More informationIP Security IK2218/EP2120
IP Security IK2218/EP2120 Markus Hidell, mahidell@kth.se KTH School of ICT Based partly on material by Vitaly Shmatikov, Univ. of Texas Acknowledgements The presentation builds upon material from - Previous
More informationCryptography and Network Security
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown Chapter 10 Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would
More informationALIKE: Authenticated Lightweight Key Exchange. Sandrine Agagliate, GEMALTO Security Labs
ALIKE: Authenticated Lightweight Key Exchange Sandrine Agagliate, GEMALTO Security Labs Outline: Context Description of ALIKE Generic description Full specification Security properties Chip Unforgeability
More informationChapter 9. Public Key Cryptography, RSA And Key Management
Chapter 9 Public Key Cryptography, RSA And Key Management RSA by Rivest, Shamir & Adleman of MIT in 1977 The most widely used public-key cryptosystem is RSA. The difficulty of attacking RSA is based on
More informationPublic-Key Cryptanalysis
http://www.di.ens.fr/ pnguyen INRIA and École normale supérieure, Paris, France MPRI, 2010 Outline 1 Introduction Asymmetric Cryptology Course Overview 2 Textbook RSA 3 Euclid s Algorithm Applications
More informationKey Management and Distribution
CPE 542: CRYPTOGRAPHY & NETWORK SECURITY Chapter 10 Key Management; Other Public Key Cryptosystems Dr. Lo ai Tawalbeh Computer Engineering Department Jordan University of Science and Technology Jordan
More informationCisco Live /11/2016
1 Cisco Live 2016 2 3 4 Connection Hijacking - prevents the authentication happening and then an attacker jumping in during the keyexchange messaging 5 6 7 8 9 Main Mode - (spoofing attack) DH performed
More information