Security Analysis of Two Anonymous Authentication Protocols for Distributed Wireless Networks
|
|
- Colin Fox
- 6 years ago
- Views:
Transcription
1 An abridged version of this paper appears in the Proc. of the Third IEEE International Conference on Pervasive Computing and Communications Workshops (PerCom 2005 Workshops), 8-12 March 2005, Kauai Island, Hawaii. Security Analysis of Two Anonymous Authentication Protocols for Distributed Wireless Networks Duncan S. Wong Department of Computer Science City University of Hong Kong Hong Kong December 19, 2004 Abstract In a set of distributed wireless networks, such as globally distributed cellular systems, different networks could be administered by different operators. Mobile devices subscribed to one network may need to access networks administered by some other operators. An anonymous authentication protocol allows a roaming mobile device to anonymously authenticate itself to a visiting network in such a way that eavesdroppers in the visiting network and operators of other networks can only tell to which network the mobile device is subscribed but cannot tell the identity of the mobile device. The protocol is useful for protecting the privacy of the roaming mobile device. In this paper, we review two anonymous authentication protocols and point out some weaknesses and flaws of them. We show that these protocols are vulnerable to some practical attacks and the anonymity of a roaming mobile device could be compromised. 1 Introduction Consider in a set of globally distributed cellular systems or a meshed set of Wireless LANs supporting roaming, each of them consists of some distributed wireless networks which could be administered by different operators. When a mobile device subscribed to one network, referred to as the mobile device s home network, roams across the distributed wireless networks, it may access a network which is administered by a different operator, referred to as the mobile device s foreign network. An anonymous authentication protocol allows this roaming mobile device to anonymously authenticate itself to a visiting foreign network in such a way that the following goals will be achieved. 1. (Mutual Authentication) Both the roaming mobile device and the visiting foreign network have obtained assurance on the identities of their communicating parties. In general, each of the two communicating parties should obtain assurance on the identity of its communicating party. 2. (User Anonymity) Eavesdroppers of the visiting foreign network, including other mobile devices in the network, and any foreign networks other than the visiting one, should not be able to find out the identity of the roaming mobile device; The work described in this paper was fully supported by a grant from the Research Grants Council of the Hong Kong Special Administrative Region, China (Project No (RGC Ref. No. CityU 1161/04E )). 1
2 3. (User Untraceability) Eavesdroppers and foreign networks should not be able to track the roaming sequence of the mobile device. These security goals are useful for protecting the privacy of the mobile device, especially in a widely distributed wireless networks administered by a large number of different operators. This level of privacy has not yet achieved in the current cellular systems. However, this has always been a desirable feature from the past to new and upcoming wireless networks [9]. It becomes increasingly important when more and more ad hoc wireless networks are in place to provide services. In this paper, we review two anonymous authentication protocols for wireless communications. The first one was proposed by Varadharajan and Mu [10] and the second one was proposed by Go and Kim [3]. We find that they are vulnerable to several attacks which allow eavesdroppers or foreign networks other than the visiting one to find out the identity of a roaming mobile device or trace the roaming sequence of the mobile device. In the protocols of [10], the privacy of the mobile devices cannot be preserved if the underlying symmetric encryption function is a typical stream cipher. Stream ciphers are commonly used in wireless applications for better performance and less battery power consumption. Our attacks allow eavesdroppers or other mobile devices to reveal the identity of a targeted mobile device. In the protocol of [3], a malicious foreign network which is not the visiting one can find out the mobile device s identity without interacting with the mobile device. These attacks show that their protocols cannot achieve the original security goals. Since the attacking techniques are practical and can be implemented effectively, we believe that the attacks presented in this paper should be checked against every time when a new anonymous authentication protocol is designed. Paper Organization: In Sec. 2, we review some previously proposed anonymous authentication protocols for wireless communications. In Sec. 3, we first review the Varadharajan-Mu authentication protocols [10] and then describe two attacks. In Sec. 4, we describe another attacking technique and show that Go-Kim authentication protocol [3] is susceptible to this attack. Finally in Sec. 5, we conclude the paper. 2 Related Work We call a roaming mobile device, its home network and the visiting foreign network as a user, the user s home server and a foreign network, respectively. There had been a number of works on anonymous authentication protocols for wireless networks [1, 8, 10, 3]. In [1, 8], several levels of privacy requirements and protocols were proposed. The basic idea is to have a distinct alias associated to each user which appears unintelligible to anyone else except the home server of the user. When the user requests for a connection to a foreign server, he presents the alias and the identity of a server which is claimed to be his home server. The foreign server then forwards the alias to the claimed home server for verification. This technique is commonly used for providing user anonymity. Another feature which is closely related to anonymity is user untraceability: it means that nobody except the home server of a user should be able to track the user s sequence of roaming. To provide user untraceability, the alias of [1, 8] has to be renewed every time after it is used. 2
3 On authentication, protocols of [1, 8] do not provide foreign server authentication. The user cannot make sure if he is communicating with a foreign server that is intended to connect. In [10, 3], anonymous authentication protocols were proposed which support mutual authentication. In [10], a related scenario to roaming was discussed and three protocols were proposed for providing authenticated key establishment between two mobile devices, each subscribed to a distinct server. Their protocols protect the identities of both mobile devices from eavesdroppers, and other mobile devices and servers. However, in Sec. 3 below, we show that all of their protocols cannot preserve the privacy of the mobile devices if the underlying symmetric encryption function is a typical stream cipher. For many wireless networks, stream ciphers are used for better performance and less power consumption when compared with block ciphers. Hence the attacks described in Sec. 3 have significant practical impact. In our attacks, eavesdroppers and other network users can compromise the anonymity of two communicating mobile devices. In [3], an anonymous authentication protocol was proposed for mobile devices to roam anonymously on distributed wireless networks. Their protocol is targeted to protect the mobile device s identity from all entities other than its home server and the visiting foreign server. However, according to results given below (in Sec. 4 below), it is found that a malicious foreign server which is not serving the mobile device can launch an attack to reveal the mobile device s identity. 3 Varadharajan-Mu Anonymous Authentication Protocols In [10], Varadharajan and Mu proposed three anonymous authentication protocols. In the following, we review the first protocol of [10] and present two attacks which compromise the original anonymity goals of the protocol. The attacks can be applied to the other two protocols as well. Consider a scenario when a user A from his home server H travels to a network administered by a foreign server V and requests for a secure connection with another user B subscribed to V, that is, V is the home server of B. The anonymity goals are as follows. 1. (Caller Anonymity) The real identity of A should only be known to H and B. That is, A should remain anonymous to eavesdroppers, all network users except B, and all foreign servers including V. 2. (Callee Anonymity) The real identity of B should only be known to V, A and H. That is, B should remain anonymous to eavesdroppers, all network users except A, and all servers except V and H. Below is a review of the first protocol of [10]. Let k be a security parameter. Let E K be a symmetric encryption function with the symmetric key K. Let Sig X be a secret signing algorithm of an entity X and V er X be the corresponding public signature verification algorithm. Let P KE X be a public key encryption function with the public key of entity X. Let A and B be mobile devices that A initiates a connection to B. Let H be the home server of A and V be the home server of B. Let K AH be a long-term symmetric key shared between A and H. Let K BV be a long-term symmetric key shared between B and V. Let h 1 and h 2 be two distinct cryptographic hash functions such as [6]. Both of them map from {0, 1} to {0, 1} k. 3
4 Assume that there is a temporary identity, denoted by A s, shared between A and H. Similarly, a temporary identity, B s, is assumed to be shared between B and V before starting the protocol. The temporary identity is called a subliminal identity in [10] and is intended for the provision of user anonymity. In Fig. 1, the first protocol of [10] is illustrated. In the figure, notations A, H, B and V also represent their corresponding identities. 1. A : n A R {0, 1} k, K AV = h 1 (K AH A s V ), T oken AHV = E KAH (A H V n A ), mac 1 = E KAV (h 2 (A s B H n A )) 2. A V : A s, H, n A, T oken AHV, msg 1 = E KAV (A s B), mac 1 3. V : n V R {0, 1} k, sig 1 = Sig V (V H n V A s T oken AHV ) 4. V H : V, H, n V, A s, T oken AHV, sig 1 5. H : If T oken AHV is in correct form and V er V (sig 1 ) = 1: sig 2 = Sig H (H V K AV A s n V ), mac 3 = E KAH (h 2 (H n A A new s )) 6. V H : H, V, n V, msg 2 = P KE V (K AV A s ), sig 2, msg 3 = E KAH (H A new s ), mac 3 7. V : Decrypt msg 2. If V er H (sig 2 ) = 1: Decrypt msg 1. If mac 1 is in correct form: K s R {0, 1} k, mac 4 = E KAV (h 2 (V A s B B s K s n A )), mac 5 = E KBV (h 2 (V A s B K s )) 8. A V : V, A s, n A, msg 3, mac 3, msg 4 = E KAV (B B s K s ), mac 4, msg 5 = E KBV (A s K s ), mac 5 9. A : Decrypt msg 3. If mac 3 is in correct form: Decrypt msg 4. If mac 4 is in correct form: Update the subliminal identity to A new s. n A R {0, 1} k, mac 6 = E Ks (h 2 (A s A B s V n A )) 10. A B : A s, B s, V, n A, msg 5, mac 5, msg 6 = E Ks (A A s ), mac B : Decrypt msg 5. If mac 5 is in correct form: Decrypt msg 6. If mac 6 is in correct form, accept the connection. 12. A B : B s, A s, n A, mac 7 = E Ks (h 2 (B s A s n A )) 13. A : If mac 7 is in correct form, accept the connection. Figure 1: Varadharajan-Mu Anonymous Authentication Protocol In Fig. 1, x R X means that x is randomly chosen from the domain X. Symbol means binary string concatenation and A V means that A sends some message to V. A new s identity for A. is the new temporary Obviously, the anonymity requirement of keeping V from knowing the real identity of A would be compromised if V can get the message sent from A to B in Step 10 of Fig. 1. However, this can be prevented easily in practice by adjusting the transmission power of A such that it is too low for V to get the signal. 4
5 In the following, we describe two attacks which compromise user anonymity of A and B, respectively. The attacking techniques can also be applied to the other two protocols of [10]. The security requirement of the underlying symmetric encryption function is not specified clearly in [10]. Rigorous mathematical definitions and precise algorithm specifications are not given. In the following, we illustrate that missing of these important definitions and specifications could severely affect the security of the protocol. Assume that the encryption function is some secure stream cipher such as [2, 7]. In many wireless networks, security protocols use stream ciphers instead of block ciphers for better performance, less memory requirement, and lower power consumption. Define the stream cipher as M M f(k) for all message M with appropriate length where K is the symmetric key and f is a secure pseudorandom function family keyed by K. We now show that this implementation is insecure as caller and callee anonymity cannot be attained. 3.1 Attack 1: Compromising Anonymity of A by Eavesdroppers Note that T oken AHV = (A H V n A ) f(k AH ). The bit information of f(k AH ) is leaked directly from the publicly known components H, V and n A. In addition, the first portion of T oken AHV corresponding to A is always the same. An eavesdropper can use this information to track the roaming sequence of a mobile device. Regardless the renewal of the subliminal identity of A in each protocol run, the scheme is traceable. If the length of H and A are the same, then the identity of A is revealed immediately from T oken AHV and msg 3. Notice that T oken AHV = f(k AH ) (A ) and msg 3 = f(k AH ) (H ). Since the value of H is publicly known, the value of A is obtained immediately from T oken AHV msg 3 (H ). 3.2 Attack 2: Compromising the Anonymity of B by a Mobile Device If A is also a malicious user, this attack allows A to obtain enough bits of f(k BV ) for identifying all the subsequent communications initiated by B with any other mobile devices in any other networks. Note that msg 5 = (A s K s ) f(k BV ). Since A knows A s and K s, this portion of f(k BV ) can also be obtained by A. Then as long as the length of B is smaller than that of A s K s, A can compute the portion of B in any T oken BV S for any foreign server S of B. Hence A compromises the anonymity of B in all its future communications with any other entities after initiating only one call with it. 4 Go-Kim Anonymous Authentication Protocol In [3], Go and Kim proposed an anonymous authentication protocol for a user traveling anonymously from one wireless network to another. These networks are administered by different operators. Besides the user s home server and his visiting foreign server, no one including eavesdroppers, other users in the system and other foreign server that are not interacting with the user should be able to obtain the real identity of the user. In the following, we first review their protocol and then describe an active attack which allows a malicious foreign server to eavesdrop communications between a user and another foreign server and launch an active attack for obtaining the identity of the user. 5
6 For simplicity, we omit formal definitions of the following functions and assume that some appropriate domains and ranges are applied to each of them. Let E K be a symmetric encryption function under the symmetric key K. Let Sig A be a secret signing algorithm of entity A. Let V er A be the corresponding public signature verification algorithm of A. Let Z p be a multiplicative group generated by g where p is a large prime. Let the order of Z p be a large prime q such that q (p 1). Assume that the discrete logarithm problem [4] in Z p is hard. Let M, V and H denote the user, a foreign server and the home server of M, respectively. Assume that M has a public key pair denoted by (ŝ M, P M ) where ŝ M Z q is the private key and P M = gŝm mod p is the public key. Similarly, let (ŝ V, P V ) and (ŝ H, P H ) be the public key pairs of V and H, respectively, where P V = gŝv mod p and P H = gŝh mod p. Assume that M knows H s public key. Also assume that PKI (Public Key Infrastructure) is present. For each entity in the system, there exists a certificate issued by a trusted certificate authority on its identity and public key. For example, the certificates of M, V and H are denoted by Cert M, Cert V and Cert H, respectively. Let h, h 1 and h 2 be some cryptographic hash functions. The Go-Kim anonymous authentication protocol [3] is shown in Fig M : r M R Z q, K MH = P r M H mod p, T ID M = E KMH (h(m) (g r M mod p)) 2. M V : g r M mod p, T ID M, H 3. V : r V R Z q, sig 1 = Sig V (g r V mod p g r M mod p T ID M V ) 4. V H : g r V mod p, g r M mod p, T ID M, sig 1, T 1, Cert V 5. H : If Cert V is verified to be valid and V er V (sig 1 ) = 1: K MH = g r M ŝ H mod p, decrypt T ID M and identify M from h(m), r H R Z q, K V H = h 1 (g r V r H mod p P r H V mod p), sig 2 = Sig H (g r H mod p g r V mod p h(m) (g r M mod p) H), 6. V H : g r H mod p, E KV H (sig 2 h(m) (g r M mod p)), T 2, Cert H 7. V : Compute K V H accordingly. If Cert H is verified to be valid and V er H (sig 2 ) = 1: T ID new M = h(gr M r V mod p h(m)), K MV = h 1 (g r M r V mod p g r M ŝ V mod p) 8. M V : g r V mod p, E KMV (h(g r V mod p g r M mod p T IDM new 9. M : sig 3 = Sig M (g r M mod p g r V mod p T 2 V ) 10. M V : E KMV (sig 3 T 3 Cert M ) V ) T 2), T 3, Cert V Figure 2: Go-Kim Anonymous Authentication Protocol In the figure, T ID M is called a temporary identity of M. It is renewed every time when a new session between M and V is established. The new temporary identity is T ID new M. T 1, T 2 and T 3 are timestamps. In Step 5 in Fig. 2, H decrypts T ID M and identifies M from h(m). Due to the collision resistent property of the hash function h, the value of h(m) is distinct for distinct M with overwhelming probability. The value of h(m) can therefore be used directly to identify user M. Hence if an adversary can obtain the value of h(m), it should be considered that the identity of the 6
7 user M has been compromised. 4.1 Compromising User Anonymity In this section, we will describe an active attack which allows a malicious foreign server, which is not interacting with the user, to eavesdrop communications between the user and a visiting foreign server and obtain the real identity of the user. As mentioned above, the Go-Kim protocol was originally designed to allow only the home server and the visiting foreign server to know the real identity of the user M. No other entity in the system including any other foreign servers which are not engagged in this protocol run should be able to obtain the identity of the user. However we can see that T ID M does not contain V. In Step 4 in Fig. 2, when H receives messages from V, there is no proof that M is intended to communicate with V. In other words, H has no idea if M is actually in the serving network operated by V or some other network operated by another operator. In the following, we describe an attack to compromise the user s anonymity. The attack is based on this observation. Suppose there is a malicious foreign server E which is eavesdropping in the radio coverage of V. After M sends the first message flow to V shown in Step 2 in Fig. 2, E later connects to H in another session and claims that a user of H is visiting the network operated by E. The attack is carried out for getting the identity of M. This is illustrated in Fig M V : g r M mod p, T ID M, H 2. V H : g r V mod p, g r M mod p, T ID M, sig 1, T 1, Cert V 2. E H : g r 1 mod p, g r M mod p, T ID M, sig 1, T 1, Cert E 3. V H : g r H mod p, E KV H (sig 2 h(m) (g r M mod p)), T 2, Cert H 3. E H : g r 2 mod p, E KEH (sig 2 h(m) (gr M mod p)), T 2, Cert H 4. M V : g r V mod p, E KMV (h(g r V mod p g r M mod p T IDM new V ) T 2), T 3, Cert V 5. M V : E KMV (sig 3 T 3 Cert M ) Figure 3: Malicious Server Attack In Step 2 in Fig. 3, the malicious server E produces arbitrarily g r 1 mod p, generates a signature sig 1 and a timestamp T 1, and shows a valid certificate Cert E appropriately. In Step 3 in Fig. 3, h(m) is obtained by E and it can then be used directly to identify M. In addition, M can usually be found by exhaustively searching over the domain of M. In practice, the domain of M is usually small. For example, in GSM [5], the mobile unit can be identified uniquely using a 15-digit number. Note that the attacking session between E and H does not need to be launched in parallel with the original session between M and V. It can be launched after an arbitrary period of time. We call it the Malicious Server Attack. 7
8 5 Conclusions In this paper, we review two anonymous authentication protocols for wireless communications. The first one was proposed by Varadharajan and Mu [10] and the second one was proposed by Go and Kim [3]. We find that they are vulnerable to several attacks which allow eavesdroppers or foreign networks other than the visiting one to find out the identity of a roaming mobile device or trace the roaming sequence of a mobile device. For the three protocols of [10], we show that all of them cannot preserve the privacy of the mobile devices if the underlying symmetric encryption algorithm is implemented using some inappropriate specification. This illustrates the importance of specifying precisely all the underlying algorithms. Our attacks allow an eavesdropper or a malicious mobile device to trace the roaming sequence or reveal the identity of another roaming mobile device. For the protocol of [3], we find that a malicious foreign network which is not interacting with the mobile device can find out the mobile device s identity through an impersonation attack. These attacks show that these protocols cannot achieve the original security goals. Since the attacking techniques are practical and can be implemented effectively, we believe that these attacks should be checked against every time when a new anonymous authentication protocol is designed. References [1] G. Ateniese, A. Herzberg, H. Krawczyk, and G. Tsudik. On traveling incognito. In Proc. of the IEEE Workshop on Mobile Systems and Applications, December [2] M. Briceno, I. Goldberg, and D. Wagner. A pedagogical implementation of A5/1. Available at May [3] J. Go and K. Kim. Wireless authentication protocol preserving user anonymity. In Proc. of the 2001 Symposium on Cryptography and Information Security (SCIS 2001), pages , January [4] Alfred J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone. Handbook of Applied Cryptography. CRC Press LLC, [5] Michel Mouly and Marie-Bernadette Pautet. The GSM System for Mobile Communications. Published by the authors, [6] NIST FIPS PUB Secure Hash Standard, April [7] R.L. Rivest. The RC4 Encryption Algorithm. RSA Data Security, Inc., March 12, (Proprietary). [8] D. Samfat, R. Molva, and N. Asokan. Untraceability in mobile networks. In Proc. of MobiCom 95, pages 26 36, [9] Technical Specification Group (TSG) SA. 3GPP TS : 3rd Generation Partnership Project 3GPP, 3G Security, Security Architecture, Oct [10] V. Varadharajan and Y. Mu. Preserving privacy in mobile communications: A hybrid method. In IEEE International Conference on Personal Wireless Communications, pages ,
Design of Secure End-to-End Protocols for Mobile Systems
26 Design of Secure End-to-End Protocols for Mobile Systems V. Varadharajan and Y. Mu Department of Computing, University of Western Sydney, Nepean, PO Box 10, Kingswood, NSW 2747, Australia Telephone:
More informationDesign of Secure End-to-End Protocols for Mobile Systems. Nepean, PO Box 10, Kingswood, NSW 2747, Australia. conclusions. 2.
Wireless '96 Design of Secure End-to-End Protocols for Mobile Systems Vijay Varadharajan and Yi Mu Department of Computing, University of Western Sydney, Nepean, PO Box 10, Kingswood, NSW 2747, Australia
More informationFraud Prevention and User Privacy in Mobile Computing (extended summary)
Fraud Prevention and User Privacy in Mobile Computing (extended summary) Yuliang Zheng The Peninsula School of Computing and Information Technology Monash University McMahons Road, Frankston Melbourne,
More informationCryptography V: Digital Signatures
Cryptography V: Digital Signatures Computer Security Lecture 12 David Aspinall School of Informatics University of Edinburgh 19th February 2009 Outline Basics Constructing signature schemes Security of
More informationCryptography V: Digital Signatures
Cryptography V: Digital Signatures Computer Security Lecture 10 David Aspinall School of Informatics University of Edinburgh 10th February 2011 Outline Basics Constructing signature schemes Security of
More informationOn Privacy and Anonymity in Knowledge Externalization
On Privacy and Anonymity in Knowledge Externalization Yuen-Yan Chan and Chi-Hong Leung The Chinese University of Hong Kong rosannachan@cuhk.edu.hk, leung_chi_hong@yahoo.com.hk Secure Knowledge Management
More informationA robust smart card-based anonymous user authentication protocol for wireless communications
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2014 A robust smart card-based anonymous user authentication
More informationAn Efficient Stream Cipher Using Variable Sizes of Key-Streams
An Efficient Stream Cipher Using Variable Sizes of Key-Streams Hui-Mei Chao, Chin-Ming Hsu Department of Electronic Engineering, Kao Yuan University, #1821 Jhongshan Rd., Lujhu Township, Kao-Hsiung County,
More informationKurose & Ross, Chapters (5 th ed.)
Kurose & Ross, Chapters 8.2-8.3 (5 th ed.) Slides adapted from: J. Kurose & K. Ross \ Computer Networking: A Top Down Approach (5 th ed.) Addison-Wesley, April 2009. Copyright 1996-2010, J.F Kurose and
More informationMessage Authentication Codes and Cryptographic Hash Functions
Message Authentication Codes and Cryptographic Hash Functions Readings Sections 2.6, 4.3, 5.1, 5.2, 5.4, 5.6, 5.7 1 Secret Key Cryptography: Insecure Channels and Media Confidentiality Using a secret key
More informationSession key establishment protocols
our task is to program a computer which gives answers which are subtly and maliciously wrong at the most inconvenient possible moment. -- Ross Anderson and Roger Needham, Programming Satan s computer Session
More informationEfficient Delegation-Based Authentication Protocol with Strong Mobile Privacy
Efficient Delegation-Based Authentication Protocol with Strong Mobile Privacy Jian-Zhu Lu, Hong-Qing Ren, and Jipeng Zhou Department of Computer Science, Jinan University, Guangzhou, Guangdong, China 510632
More informationSession key establishment protocols
our task is to program a computer which gives answers which are subtly and maliciously wrong at the most inconvenient possible moment. -- Ross Anderson and Roger Needham, Programming Satan s computer Session
More informationA Limitation of BAN Logic Analysis on a Man-in-the-middle Attack
ISS 1746-7659, England, U Journal of Information and Computing Science Vol. 1, o. 3, 2006, pp. 131-138 Limitation of Logic nalysis on a Man-in-the-middle ttack + Shiping Yang, Xiang Li Computer Software
More informationDistributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015
Distributed Systems 26. Cryptographic Systems: An Introduction Paul Krzyzanowski Rutgers University Fall 2015 1 Cryptography Security Cryptography may be a component of a secure system Adding cryptography
More informationL13. Reviews. Rocky K. C. Chang, April 10, 2015
L13. Reviews Rocky K. C. Chang, April 10, 2015 1 Foci of this course Understand the 3 fundamental cryptographic functions and how they are used in network security. Understand the main elements in securing
More informationProtocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh
Protocols II Computer Security Lecture 12 David Aspinall School of Informatics University of Edinburgh 17th February 2011 Outline Introduction Shared-key Authentication Asymmetric authentication protocols
More informationח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms
Public Key Cryptography Kurose & Ross, Chapters 8.28.3 (5 th ed.) Slides adapted from: J. Kurose & K. Ross \ Computer Networking: A Top Down Approach (5 th ed.) AddisonWesley, April 2009. Copyright 19962010,
More informationEncryption. INST 346, Section 0201 April 3, 2018
Encryption INST 346, Section 0201 April 3, 2018 Goals for Today Symmetric Key Encryption Public Key Encryption Certificate Authorities Secure Sockets Layer Simple encryption scheme substitution cipher:
More informationEFFICIENT MECHANISM FOR THE SETUP OF UE-INITIATED TUNNELS IN 3GPP-WLAN INTERWORKING. 1. Introduction
Trends in Mathematics Information Center for Mathematical Sciences Volume 8, Number 1, June, 2005, Pages 77 85 EFFICIENT MECHANISM FOR THE SETUP OF -INITIATED TUNNELS IN 3GPP-WLAN INTERWORKING SANG UK
More informationCS408 Cryptography & Internet Security
CS408 Cryptography & Internet Security Lecture 18: Cryptographic hash functions, Message authentication codes Functions Definition Given two sets, X and Y, a function f : X Y (from set X to set Y), is
More informationEfficient RFID authentication scheme for supply chain applications
University of Wollongong Research Online Faculty of Informatics - Papers (Archive) Faculty of Engineering and Information Sciences 2010 Efficient RFID authentication scheme for supply chain applications
More informationApplication of ESA in the CAVE Mode Authentication
Application of ESA in the Mode Authentication Keonwoo Kim, Dowon Hong, and Kyoil Chung Abstract This paper proposes the authentication method using ESA algorithm instead of using algorithm in the CDMA
More informationKey Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature
Key Management Digital signatures: classical and public key Classic and Public Key exchange 1 Handwritten Signature Used everyday in a letter, on a check, sign a contract A signature on a signed paper
More informationCS 161 Computer Security
Paxson Spring 2017 CS 161 Computer Security Discussion 6 Week of March 6, 2017 Question 1 Password Hashing (10 min) When storing a password p for user u, a website randomly generates a string s (called
More informationCS Computer Networks 1: Authentication
CS 3251- Computer Networks 1: Authentication Professor Patrick Traynor 4/14/11 Lecture 25 Announcements Homework 3 is due next class. Submit via T-Square or in person. Project 3 has been graded. Scores
More informationA new key recovery attack on the ANSI retail MAC
A new key recovery attack on the ANSI retail MAC Chris J. Mitchell Information Security Group, Royal Holloway, University of London Egham, Surrey TW20 0EX, UK c.mitchell@rhul.ac.uk 13th November 2002 Abstract
More informationCSE 127: Computer Security Cryptography. Kirill Levchenko
CSE 127: Computer Security Cryptography Kirill Levchenko October 24, 2017 Motivation Two parties want to communicate securely Secrecy: No one else can read messages Integrity: messages cannot be modified
More informationCryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 38 A Tutorial on Network Protocols
More informationT Cryptography and Data Security
T-79.4501 Cryptography and Data Security Lecture 10: 10.1 Random number generation 10.2 Key management - Distribution of symmetric keys - Management of public keys Stallings: Ch 7.4; 7.3; 10.1 1 The Use
More informationCity Research Online. Permanent City Research Online URL:
Komninos, N. & Dimitriou, T. (2006). Adaptive authentication and key agreement mechanism for future cellular systems. Paper presented at the 15th IST Mobile & Wireless Communications Summit, 04-08 June
More informationCSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L
CS 3461/5461: Introduction to Computer Networking and Internet Technologies Network Security Study: 21.1 21.5 Kannan Srinivasan 11-27-2012 Security Attacks, Services and Mechanisms Security Attack: Any
More informationUsing Commutative Encryption to Share a Secret
Using Commutative Encryption to Share a Secret Saied Hosseini Khayat August 18, 2008 Abstract It is shown how to use commutative encryption to share a secret. Suppose Alice wants to share a secret with
More informationWireless Security Security problems in Wireless Networks
Wireless Security Security problems in Wireless Networks Security of Wireless Networks Wireless networks are everywhere more and more electronic devices are becoming wireless However, ensuring security
More informationUse of Symmetric And Asymmetric Cryptography in False Report Filtering in Sensor Networks
Use of Symmetric And Asymmetric Cryptography in False Report Filtering in Sensor Networks Aleksi Toivonen Helsinki University of Technology Aleksi.Toivonen@tkk.fi Abstract Sensor networks are easily deployable
More informationKey Agreement. Guilin Wang. School of Computer Science, University of Birmingham
Key Agreement Guilin Wang School of Computer Science, University of Birmingham G.Wang@cs.bham.ac.uk 1 Motivations As we know, symmetric key encryptions are usually much more efficient than public key encryptions,
More informationComputer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08r. Pre-exam 2 Last-minute Review Cryptography Paul Krzyzanowski Rutgers University Spring 2018 March 26, 2018 CS 419 2018 Paul Krzyzanowski 1 Cryptographic Systems March 26, 2018 CS
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 4, 2017 CPSC 467, Lecture 11 1/39 ElGamal Cryptosystem Message Integrity and Authenticity Message authentication codes
More informationData Security and Privacy. Topic 14: Authentication and Key Establishment
Data Security and Privacy Topic 14: Authentication and Key Establishment 1 Announcements Mid-term Exam Tuesday March 6, during class 2 Need for Key Establishment Encrypt K (M) C = Encrypt K (M) M = Decrypt
More informationSecure Multiparty Computation
CS573 Data Privacy and Security Secure Multiparty Computation Problem and security definitions Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation
More informationLecture 1 Applied Cryptography (Part 1)
Lecture 1 Applied Cryptography (Part 1) Patrick P. C. Lee Tsinghua Summer Course 2010 1-1 Roadmap Introduction to Security Introduction to Cryptography Symmetric key cryptography Hash and message authentication
More informationIssues. Separation of. Distributed system security. Security services. Security policies. Security mechanism
Module 9 - Security Issues Separation of Security policies Precise definition of which entities in the system can take what actions Security mechanism Means of enforcing that policy Distributed system
More informationCSCE 715: Network Systems Security
CSCE 715: Network Systems Security Chin-Tser Huang huangct@cse.sc.edu University of South Carolina Next Topic in Cryptographic Tools Symmetric key encryption Asymmetric key encryption Hash functions and
More informationCryptography and Network Security Chapter 13. Digital Signatures & Authentication Protocols
Cryptography and Network Security Chapter 13 Digital Signatures & Authentication Protocols Digital Signatures have looked at message authentication but does not address issues of lack of trust digital
More informationThis is an author produced version of Security Analysis of Integrated Diffie-Hellman Digital Signature Algorithm Protocols.
This is an author produced version of Security nalysis of Integrated Diffie-Hellman Digital Signature lgorithm Protocols. White Rose Research Online URL for this paper: http://eprints.whiterose.ac.uk/119028/
More informationCSC 482/582: Computer Security. Security Protocols
Security Protocols Topics 1. Basic Concepts of Cryptography 2. Security Protocols 3. Authentication Protocols 4. Key Exchange Protocols 5. Kerberos 6. Public Key Infrastructure Encryption and Decryption
More informationCIS 4360 Secure Computer Systems Symmetric Cryptography
CIS 4360 Secure Computer Systems Symmetric Cryptography Professor Qiang Zeng Spring 2017 Previous Class Classical Cryptography Frequency analysis Never use home-made cryptography Goals of Cryptography
More informationHOST Authentication Overview ECE 525
Authentication Overview Authentication refers to the process of verifying the identity of the communicating principals to one another Usually sub-divided into Entity authentication Authentication in real-time
More informationAuthentication Part IV NOTE: Part IV includes all of Part III!
Authentication Part IV NOTE: Part IV includes all of Part III! ECE 3894 Hardware-Oriented Security and Trust Spring 2018 Assoc. Prof. Vincent John Mooney III Georgia Institute of Technology NOTE: THE FOLLOWING
More informationIntroduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell
Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell 1 Cryptography Merriam-Webster Online Dictionary: 1. secret writing 2. the enciphering and deciphering
More informationOther Topics in Cryptography. Truong Tuan Anh
Other Topics in Cryptography Truong Tuan Anh 2 Outline Public-key cryptosystem Cryptographic hash functions Signature schemes Public-Key Cryptography Truong Tuan Anh CSE-HCMUT 4 Outline Public-key cryptosystem
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Chapter 1: Overview What is Cryptography? Cryptography is the study of
More informationLecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena
Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall 2009 Nitesh Saxena *Adopted from a previous lecture by Gene Tsudik Course Admin HW3 Problem 3 due Friday midnight
More informationDevelopment of an Anonymous Key Exchange System for Roaming Services
Journal of Wireless Networking and Communications 2017, 7(3): 59-65 DOI: 10.5923/j.jwnc.20170703.02 Development of an Anonymous Key Exchange System for Roaming Services Thompson Aderonke *, Akinsowon Omoyele,
More informationComputer Security: Principles and Practice
Computer Security: Principles and Practice Chapter 2 Cryptographic Tools First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Cryptographic Tools cryptographic algorithms
More informationCryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1
Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography CS555 Spring 2012/Topic 16 1 Outline and Readings Outline Private key management between two parties Key management
More informationDiffie-Hellman Protocol as a Symmetric Cryptosystem
IJCSNS International Journal of Computer Science and Network Security, VOL.18 No.7, July 2018 33 Diffie-Hellman Protocol as a Symmetric Cryptosystem Karel Burda, Brno University of Technology, Brno, Czech
More informationTopics. Dramatis Personae Cathy, the Computer, trusted 3 rd party. Cryptographic Protocols
Cryptographic Protocols Topics 1. Dramatis Personae and Notation 2. Session and Interchange Keys 3. Key Exchange 4. Key Generation 5. Cryptographic Key Infrastructure 6. Storing and Revoking Keys 7. Digital
More informationWeb Tap Payment Authentication and Encryption With Zero Customer Effort
Web Tap Payment Authentication and Encryption With Zero Customer Effort Henry Ng Tap-Card-Pay Systems Corporation, Vancouver BC V5X3Y3, Canada henryng@tapcardpay.com Abstract. We propose a public-key authentication
More informationBCA III Network security and Cryptography Examination-2016 Model Paper 1
Time: 3hrs BCA III Network security and Cryptography Examination-2016 Model Paper 1 M.M:50 The question paper contains 40 multiple choice questions with four choices and student will have to pick the correct
More informationRemote user authentication using public information
Remote user authentication using public information Chris J. Mitchell Mobile VCE Research Group, Information Security Group Royal Holloway, University of London Egham, Surrey TW20 0EX, UK C.Mitchell@rhul.ac.uk
More informationOverview. SSL Cryptography Overview CHAPTER 1
CHAPTER 1 Secure Sockets Layer (SSL) is an application-level protocol that provides encryption technology for the Internet. SSL ensures the secure transmission of data between a client and a server through
More informationInformation Security CS526
Information Security CS 526 Topic 3 Cryptography: One-time Pad, Information Theoretic Security, and Stream CIphers 1 Announcements HW1 is out, due on Sept 11 Start early, late policy is 3 total late days
More informationCryptographic Concepts
Outline Identify the different types of cryptography Learn about current cryptographic methods Chapter #23: Cryptography Understand how cryptography is applied for security Given a scenario, utilize general
More informationEfficient password authenticated key agreement using bilinear pairings
Mathematical and Computer Modelling ( ) www.elsevier.com/locate/mcm Efficient password authenticated key agreement using bilinear pairings Wen-Shenq Juang, Wei-Ken Nien Department of Information Management,
More informationCristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.
CS355: Cryptography Lecture 17: X509. PGP. Authentication protocols. Key establishment. Public Keys and Trust Public Key:P A Secret key: S A Public Key:P B Secret key: S B How are public keys stored How
More informationA Simple User Authentication Scheme for Grid Computing
A Simple User Authentication Scheme for Grid Computing Rongxing Lu, Zhenfu Cao, Zhenchuai Chai, Xiaohui Liang Department of Computer Science and Engineering, Shanghai Jiao Tong University 800 Dongchuan
More informationSecurity Analysis of Shim s Authenticated Key Agreement Protocols from Pairings
Security Analysis of Shim s Authenticated Key Agreement Protocols from Pairings Hung-Min Sun and Bin-san Hsieh Department of Computer Science, National sing Hua University, Hsinchu, aiwan, R.O.C. hmsun@cs.nthu.edu.tw
More informationComputer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08. Cryptography Part II Paul Krzyzanowski Rutgers University Spring 2018 March 23, 2018 CS 419 2018 Paul Krzyzanowski 1 Block ciphers Block ciphers encrypt a block of plaintext at a
More informationPassword-based authentication and key distribution protocols with perfect forward secrecy
Journal of Computer and System Sciences 72 (2006) 1002 1011 www.elsevier.com/locate/jcss Password-based authentication and key distribution protocols with perfect forward secrecy Hung-Min Sun a,, Her-Tyan
More informationInformation Security CS526
Information CS 526 Topic 3 Ciphers and Cipher : Stream Ciphers, Block Ciphers, Perfect Secrecy, and IND-CPA 1 Announcements HW1 is out, due on Sept 10 Start early, late policy is 3 total late days for
More informationCS 161 Computer Security
Raluca Popa Spring 2018 CS 161 Computer Security Homework 2 Due: Wednesday, February 14, at 11:59pm Instructions. This homework is due Wednesday, February 14, at 11:59pm. No late homeworks will be accepted.
More informationPublic Key Algorithms
Public Key Algorithms 1 Public Key Algorithms It is necessary to know some number theory to really understand how and why public key algorithms work Most of the public key algorithms are based on modular
More informationComputer Security 3/23/18
s s encrypt a block of plaintext at a time and produce ciphertext Computer Security 08. Cryptography Part II Paul Krzyzanowski DES & AES are two popular block ciphers DES: 64 bit blocks AES: 128 bit blocks
More informationCryptography and Network Security Chapter 14
Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown Chapter 14 Key Management and Distribution No Singhalese, whether man or woman, would venture
More information1. Diffie-Hellman Key Exchange
e-pgpathshala Subject : Computer Science Paper: Cryptography and Network Security Module: Diffie-Hellman Key Exchange Module No: CS/CNS/26 Quadrant 1 e-text Cryptography and Network Security Objectives
More informationA Critical Analysis and Improvement of AACS Drive-Host Authentication
A Critical Analysis and Improvement of AACS Drive-Host Authentication Jiayuan Sui and Douglas R. Stinson David R. Cheriton School of Computer Science University of Waterloo Waterloo, ON, N2L 3G1, Canada
More informationCryptographic Systems
CPSC 426/526 Cryptographic Systems Ennan Zhai Computer Science Department Yale University Recall: Lec-10 In lec-10, we learned: - Consistency models - Two-phase commit - Consensus - Paxos Lecture Roadmap
More informationCryptographic Hash Functions. William R. Speirs
Cryptographic Hash Functions William R. Speirs What is a hash function? Compression: A function that maps arbitrarily long binary strings to fixed length binary strings Ease of Computation: Given a hash
More informationECEN 5022 Cryptography
Introduction University of Colorado Spring 2008 Historically, cryptography is the science and study of secret writing (Greek: kryptos = hidden, graphein = to write). Modern cryptography also includes such
More informationLecture 9a: Secure Sockets Layer (SSL) March, 2004
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York University artg@cs.nyu.edu Security Achieved by
More informationData Communication Prof.A.Pal Dept of Computer Science & Engineering Indian Institute of Technology, Kharagpur Lecture - 40 Secured Communication - II
Data Communication Prof.A.Pal Dept of Computer Science & Engineering Indian Institute of Technology, Kharagpur Lecture - 40 Secured Communication - II Hello and welcome to today's lecture on secured communication.
More informationPublic Key Cryptography
Public Key Cryptography Giuseppe F. Italiano Universita` di Roma Tor Vergata italiano@disp.uniroma2.it Motivation Until early 70s, cryptography was mostly owned by government and military Symmetric cryptography
More informationA hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).
CA4005: CRYPTOGRAPHY AND SECURITY PROTOCOLS 1 5 5.1 A hash function is an efficient function mapping binary strings of arbitrary length to binary strings of fixed length (e.g. 128 bits), called the hash-value
More informationUNIT - IV Cryptographic Hash Function 31.1
UNIT - IV Cryptographic Hash Function 31.1 31-11 SECURITY SERVICES Network security can provide five services. Four of these services are related to the message exchanged using the network. The fifth service
More informationOPTIMISTIC NON-REPUDIABLE INFORMATION EXCHANGE
OPTIMISTIC NON-REPUDIABLE INFORMATION EXCHANGE Steve Kremer and Olivier Markowitch Université Libre de Bruxelles, Computer Science Dept. Bld du Triomphe C.P.212, 1050 Bruxelles, Belgium skremer@ulb.ac.be,
More informationSecurity Handshake Pitfalls
Security Handshake Pitfalls Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr 1 Cryptographic Authentication Password authentication is subject to eavesdropping Alternative: Cryptographic challenge-response
More informationPROTECTING CONVERSATIONS
PROTECTING CONVERSATIONS Basics of Encrypted Network Communications Naïve Conversations Captured messages could be read by anyone Cannot be sure who sent the message you are reading Basic Definitions Authentication
More informationThis chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest
1 2 3 This chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest PKCS, Diffie- Hellman key exchange. This first published
More informationCOMP4109 : Applied Cryptography
COMP4109 : Applied Cryptography Fall 2013 M. Jason Hinek Carleton University Applied Cryptography Day 2 information security cryptographic primitives unkeyed primitives NSA... one-way functions hash functions
More informationEfficient RFID Authentication protocol for Ubiquitous Computing Environment
Efficient RFID Authentication protocol for Ubiquitous Computing Environment Eun Young Choi 1, Su Mi Lee 1, and Dong Hoon Lee 2 Center for Information Security Technologies(CIST), Korea University, 1, 5-Ka,
More informationCryptography in Lotus Notes/Domino Pragmatic Introduction for Administrators
Cryptography in Lotus Notes/Domino Pragmatic Introduction for Administrators Belfast, 11-Nov-2010 Innovative Software Solutions. Thomas Bahn - graduated in mathematics, University of Hannover - developing
More informationCS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong
CS573 Data Privacy and Security Cryptographic Primitives and Secure Multiparty Computation Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation
More informationCT30A8800 Secured communications
CT30A8800 Secured communications Pekka Jäppinen October 31, 2007 Pekka Jäppinen, Lappeenranta University of Technology: October 31, 2007 Secured Communications: Key exchange Schneier, Applied Cryptography:
More informationRemote User Authentication Scheme in Multi-server Environment using Smart Card
Remote User Authentication Scheme in Multi-server Environment using Smart Card Jitendra Kumar Tyagi A.K. Srivastava Pratap Singh Patwal ABSTRACT In a single server environment, one server is responsible
More informationSolutions to exam in Cryptography December 17, 2013
CHALMERS TEKNISKA HÖGSKOLA Datavetenskap Daniel Hedin DIT250/TDA351 Solutions to exam in Cryptography December 17, 2013 Hash functions 1. A cryptographic hash function is a deterministic function that
More informationFormal security definition and efficient construction for roaming with a privacy-preserving extension
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2008 Formal security definition and efficient construction
More informationChapter 9: Key Management
Chapter 9: Key Management Session and Interchange Keys Key Exchange Cryptographic Key Infrastructure Storing and Revoking Keys Digital Signatures Slide #9-1 Overview Key exchange Session vs. interchange
More informationEncryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls
Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls Overview Cryptography functions Secret key (e.g., DES) Public key (e.g., RSA) Message
More informationArticle An Enhanced Lightweight Anonymous Authentication Scheme for a Scalable Localization Roaming Service in Wireless Sensor Networks
Article An Enhanced Lightweight Anonymous Authentication Scheme for a Scalable Localization Roaming Service in Wireless Sensor Networks Youngseok Chung 1,2, Seokjin Choi 1, Youngsook Lee 3, Namje Park
More information