Verification of Security Protocols
|
|
- Everett Edmund Lambert
- 6 years ago
- Views:
Transcription
1 Verification of Security Protocols Chapter 12: The JFK Protocol and an Analysis in Applied Pi Christian Haack June 16, 2008
2 Exam When? Monday, 30/06, 14:00. Where? TUE, Matrix Scheduled for 3 hours, but should be doable in shorter time. Counts 25% towards the course grade (270 points for assignments, 90 points for exam). The exam is closed book.
3 Exam How to prepare? Review the course notes, and the exercises (especially the pencil-and-paper exercises). Things you should know: Typical protocol goals and their informal meaning (e.g., secrecy, authenticity, key establishment, non-repudiation, anonymity, etc.). How to model protocols as informal narrations. The spi-calculus and its operational semantics. How to model protocols in the spi-calculus (agent roles, parallel sessions, external threat model, internal threat model, etc.). How to express core security goals in the spi-calculus (secrecy assertions, correspondence assertions, injective agreement, non-injective agreement, non-interference).
4 Exam Things you should know (cont.): Proof methods (type systems, BAN logic). You do not need to learn typing rules or BAN rules by heart. I will provide you with a handout with the rules that you need. You need to be able to apply the rules. Cryptographic primitives and what they can be used for (e.g., digital signatures for authentication, hashes for message integrity, nonces for injective agreement, nonces for timeliness, timestamps for timeliness, etc.). How to specify cryptographic primitives in generic spi/proverif. (constructors, reduction rules, equations). Testing equivalence, non-interference. Topics that won t come up in the exam: ProVerif s resolution method, the computational model.
5 Plan for Today We will talk about the Just Fast Keying (JFK) protocol, and a protocol analysis in the Applied Pi Calculus with help of ProVerif. JFK is a key establishment protocol, intended for use in IPsec. The JFK protocol has interesting security goals (in addition to secrecy and authenticity as usual): resistance against denial-of-service (DoS) attacks privacy of client and server against passive attackers privacy of either client or server against active attackers
6 References Today s class is based on the following articles: Aiello, Bellovin, Blaze, Canetti, Ioannidis, Keromytis, Reingold: Just Fast Keying: Key Agreement in a Hostile Internet, [ABB + 04] Abadi, Blanchet, Fournet: Just Fast Keying in the Pi Calculus, [ABF07] The ProVerif sources for the JFK analysis are contained in the directory example/jfk of the ProVerif distribution.
7 JFK: Context JFK was designed to be used to set up a security association (SA) at the outset of an IPsec session. What is a security association? A set of security parameters including session keys, initialization vectors or digital certificates. Currently, this is established by the Internet Key Exchange (IKE) protocol. The IKE protocol has been criticized for several reasons. Most importantly: a high number of rounds (inefficiency) vulnerability to DoS attacks complexity of the protocol and its specification JFK improves on these shortcomings. Another proposed replacement of IKE is IKEv2.
8 Diffie Hellman Key Establishment: Initial Data JFK uses Diffie Hellman Key Establishment (DH): Publicly known initial data: p : a large prime g : a primitive root modulo p What is a primitive root modulo p? a number g such that all numbers in {1,..., p 1} can be generated by taking exponents of g modulo p. Or more technically: a generator of the multiplicative group of integers modulo p. The pair (p, g) is sometimes called the Diffie-Hellman group.
9 Diffie-Hellman Key Establishment (DH) A picks a random integer a A B : g a B picks a random integer b B A : g b A and B compute k = (g a ) b = g ab = (g b ) a (mod p) They use k as a session key. If g and p are chosen appropriately (e.g., p has to be large enough), then it is infeasible for someone other than A or B to learn k. Why? An attacker knows g, p, g a and g b. It is thought that learning g ab is as hard as learning a or b. But this amounts to taking the discrete logarithm modulo p, which is thought to be computationally intractable.
10 Lack of Authentication A picks a random integer a A B : g a B picks a random integer b B A : g b A and B compute k = (g a ) b = g ab = (g b ) a (mod p) They use k as a session key. The simple DH protocol is safe against eavesdroppers. However, it does not provide authentication. It is therefore not safe against active adversaries.
11 Station-to-Station (STS) The station-to-station protocol enriches DH with authentication: A picks random a 1. A B : g a B picks random b and computes k = g ab 2. B A : g b, {{ g b, g a } sb } k A computes k = g ba 3. A B : {{ g a, g b } sa } k STS achieves key establishment and mutual authentication. Furthermore, both A and B learn that the other one knows k, because messages 2 and 3 are encrypted with k. The protocol even protects against replays, because g a and g b serve as nonces. Many real protocols are variations of STS. These include IKE and JFK.
12 Vulnerability to DoS Attacks A picks random a 1. A B : g a B picks random b and computes k = g ab 2. B A : g b, {{ g b, g a } sb } k A computes k = g ba 3. A B : {{ g a, g b } sa } k This simple variant of STS is vulnerable to DoS attacks. Why? Both exponentiation and public key cryptography (in this case digital signing) are computationally expensive. If an attacker deliberately swamps server B with huge amounts of message 1, then B will have to do huge amounts of computation. The problem is that B has to do this expensive computation in his very first message. The attacker has to do no significant work to trigger this. JFK resists against DoS attacks to some extent.
13 Diffie-Hellman in ProVerif Diffie-Hellman can be represented in ProVerif like this: data g/0. fun exp/2. equation exp(exp(g,x),y) = exp(exp(g,y),x). Note that this is an equation rather than a reduction rule. Fortunately, this is an equation that ProVerif can deal with.
14 Keyed Hashes (MACS) Recall that hashes are a tool to ensure message integrity: A B : M, hash(m) B knows that M has not been altered Keyed hashes (aka message authentication codes, MACS) are a tool to ensure both message integrity and authenticity: K is a shared secret of A and B A B : M, hash{k }(M) B knows that M has not been altered and that it comes from B Like hashes, perfect keyed hashes are one-way functions (in both arguments). B knows that M comes from A because A is the only other agent who knows K.
15 Keyed Hashes in ProVerif Representing keyed hashes in ProVerif is easy: fun keyedhash/2. (* No destructor *)
16 JFK: Design Goals Secrecy of established session keys. Forward Secrecy of established session keys (i.e., compromise of long-term keys should not affect secrecy of the session keys already in use). Privacy: hide the identities of initiator and responder as far as possible. Memory DoS: it must resist memory exhaustion attacks. Computation DoS: it must resist CPU exhaustion attacks. Efficiency: it must be efficient w.r.t. computation, bandwith and number of rounds. Non-negotiated: it must avoid complex negotiations over cryptographic capabilities. Simplicity: it must be as simple as possible within the constraints of the requirements.
17 Privacy Against Eavesdroppers JFKr guarantees privacy of both initiator and responder against passive eavesdroppers. (JFKi only of initiator.) This is achieved by never sending data that can be tied to one of the agents in plain. In particular the following are never send in plain: agent ids public keys or public key certificates for the agents messages signed by the agents Note that STS already provides privacy of both agents against passive eavesdroppers: The only messages that could be tied to agents are the signed messages. But these are encrypted under the DH key.
18 Privacy Against Active Attackers STS protects A s privacy against active attackers, but not B s. Why not B s? An active attacker could pose as A. He would receive message 2, could decrypt it, and then know that B is at the other end. Generally, in a protocol that provides mutual authentication by digital signatures, at most one agent can protect his privacy against active adversaries: the agent who authenticates first won t have privacy. There are two versions of JFK: JFKr protects the responder s privacy against active attackers. JFKi protects the initiator s privacy against active attackers.
19 Resistance Against Memory DoS Attacks Protocols typically build up state, i.e., they store data from early protocol actions that is needed later in the protocol (e.g., nonces or session ids are stored for later checks). In Memory DoS attacks, an attacker starts many parallel session with a server, causing the server to build up state and exhaust his memory. To protect servers against such attacks JFK avoids building up state before clients have authenticated themselves.
20 Anti-DoS Cookies Anti-DoS Cookies are a technique to resist against Memory DoS attacks: Instead of storing sessions state, the server sends all its state to the client, together with a MAC of the state. This MAC is called an Anti-DoS cookie. The MAC key is only known to the server itself. In his reply, the client must send the server s session state and the MAC back to the server.
21 Anti-DoS Cookie: Example 1. I R : N I, g i 2. R I : N I, N R, g r, hash{k R }(g i, g r, N I, N R, I) 3. I R : N I, N R, g i, g r, hash{k R }(g i, g r, N I, N R, I) authentication data for I (expensive check) 4. R I : authentication data for R (expensive to compute) The MAC key K R is only known to R. hash{k R }(g i, g r, N R,,I) is an Anti-DoS cookie. But... an attacker could mount a Computation DoS attack, by replaying message 3 many times! To avoid such a replay attack, R caches the Anti-DoS cookies and accepts each cookie only once.
22 Resistance Against Computation DoS Attacks 1. I R : N I, g i 2. R I : N I, N R, g r, hash{k R }(g i, g r, N I, N R, I) 3. I R : N I, N R, g i, g r, hash{k R }(g i, g r, N I, N R, I) authentication data for I (expensive check) 4. R I : authentication data for R (expensive to compute) JFK uses the following measures to resist against Computation DoS: JFK allows a single DH exponential g r to be reused in several sessions. JFK avoids expensive public key cryptography in the responder s first reply.
23 Resistance to Computation DoS: Hashed Nonces To further raise the bar against DOS attacks, JFK makes the initiator send a hashed nonce in messages 1 and 2: 1. I R : hash(n I ), g i 2. R I : hash(n I ), N R, g r, hash{k R }(g i, g r, hash(n I ), N R, I) 3. I R : N I, N R, g i, g r, hash{k R }(g i, g r, hash(n I ), N R, I) authentication data for I (expensive check) 4. R I : authentication data for R (expensive to compute) This measure is effective in environments where attackers can eavesdrop and inject messages but cannot modify messages in flight (e.g. certain wireless networks). It prevents that an attacker can copy data from messages 1 and 2 to build a valid-looking message 3 with bogus authentication data (in order to force R to make an expensive check).
24 The Protocol JFKr 1. I R : hash(n I ), g i 2. R I : hash(n I ), N R, g r, grpinfo R, cookie 3. I R : N I, N R, g i, g r, cookie, e I, h I 4. R I : e R, h R grpinfo R = responder s choice of DH group g and algorithms cookie = hash{k R }(g r, hash(n I ), N R, I) K u = hash{g ir }(N I, N R, u) for u = a, e, v (K v is the established session key) sa z = additional parameters for IP security association (for z = I, R) ID z = agent id and signature verification key (for z = I, R) ID R = preference for R s signature verification key e I = {ID I, ID R, sa I, s I } Ke s I = { N I, N R, g i, g r, grpinfo R } sk I h I = hash{k a }(tag I, e I ) e R = {ID R, sa R, s R } Ke s R = { g r, N R, g i, N I } sk R h R = hash{k a }(tag R, e R )
25 Analysis in the Applied Pi-calculus Abadi, Blanchet, Fournet model JFKr in the applied pi-calculus and do a detailed protocol analysis, with the help of ProVerif. I ll sketch some interesting aspects of their model and analysis. For details see [ABF07] and the ProVerif sources in examples/jfk in the ProVerif distribution.
26 Modeling a Cache in ProVerif Caches are modeled as sets. Sets are defined as a cons-lists with a membership predicate. data emptyset/0. data consset/2. pred member/2. clauses member:x,consset(x,y); member:x,y -> member:x,consset(z,y). Note that ProVerif supports defined predicates. Defined predicates can be used in conditionals and in queries.
27 Modeling Statelessness To account for statelessness up to message 3, the responder is modeled as the parallel composition of two processes: R = R 1 R 3 where R 1 = responder process receiving message 1 and sending message 2 R 3 = responder process receiving message 3 and sending message 4 In this manner, process R 3 does not depend on any data received or generated before message 3.
28 Analysis for DoS Resistance ABF show a theorem that (informally) says this: When a responder does an expensive DH-exponentiation (g i ) r, a round trip must have happened previously (in the same session). This means that an attacker cannot trigger the responder s expensive DH-computation by sending a single message. This theorem is not trivial, because the responder is defined by parallel composition. (R = R 1 R 3 rather than R = R 1 ; R 3.) In order to prove this theorem, ABF prove a transformation lemma that a system with R = R 1 R 3 is observationally equivalent to a system with R = R o 1 ; Ro 3 where Ro 1 and Ro 3 are obtained from R 1 and R 3 by replacing the Anti-DoS cookie by local state.
29 Secrecy and Authenticity ABF prove secrecy and authenticity properties: Standard secrecy of the established session key. Forward secrecy of the establish session key: to this end, they publish the longterm signing key after a complete run of JFK, and show that the established session keys still satisfy standard secrecy. They prove various authenticity results, i.e., that certain events only happen if several other events have happened before that.
30 Identity Protection In their pi-calculus model, ABF use public keys as agent ids (i.e, if ka is A s secret keypair, then the public signature verification key dec(ka) is used as A s id). They reduce identity protection to non-interference: For instance, to show that the identity of responders is protected against active adversaries, they show that the following system satisfies non-interference, if x and y are are drawn from the private names ka and kb: System(x, y) where x, y are used as keypairs of two responders In other words, they show the following observational equivalences: System(kA, kb) System(kB, ka) System(kA, ka) System(kB, kb)
31 ProVerif: Restricting Non-interference Queries ProVerif allows to restrict non-interference queries to a set of particular values (in this case ka and kb): private free x,y. private free ka, kb. noninterf x among (ka,kb), y among (ka,kb).
32 Conclusion JFK can be viewed as a variant of the STS protocol. However, it adds many features to STS in order to resist DoS attacks. As a result, JFK is quite complicated, although it has only four messages and is much simpler than IKE. Its analysis in the applied pi-calculus is particularly interesting, because it analyzes properties that are not often analyzed by protocol verification tools (e.g., DoS resistance), and because it models the protocol in much detail (e.g., modeling caching).
33 That s It That s it for this semester. Thanks for your attention! Don t forget the exam on June 30, 14:00.
34 References William Aiello, Steven M. Bellovin, Matt Blaze, Ran Canetti, John Ioannidis, Angelos D. Keromytis, and Omer Reingold. Just fast keying: Key agreement in a hostile internet. ACM Transactions on Information and System Security, 7(2): , Martín Abadi, Bruno Blanchet, and Cédric Fournet. Just fast keying in the pi calculus. ACM Transactions on Information and System Security, 10(3), 2007.
An Executable Model for JFKr
An Executable Model for JFKr An ACL2 approach to key-establishment protocol verification Presented by: David Rager Outline Derivation of JFKr Books developed for JFKr reasoning Demonstrate the JFKr executable
More informationL13. Reviews. Rocky K. C. Chang, April 10, 2015
L13. Reviews Rocky K. C. Chang, April 10, 2015 1 Foci of this course Understand the 3 fundamental cryptographic functions and how they are used in network security. Understand the main elements in securing
More informationReal-time protocol. Chapter 16: Real-Time Communication Security
Chapter 16: Real-Time Communication Security Mohammad Almalag Dept. of Computer Science Old Dominion University Spring 2013 1 Real-time protocol Parties negotiate interactively (Mutual) Authentication
More informationJust Fast Keying: Key Agreement in a Hostile Internet
Just Fast Keying: Key Agreement in a Hostile Internet WILLIAM AIELLO, STEVEN M. BELLOVIN, MATT BLAZE AT&T Labs Research RAN CANETTI IBM T. J. Watson Research Center JOHN IOANNIDIS AT&T Labs Research ANGELOS
More informationCS 494/594 Computer and Network Security
CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Real-Time Communication Security Network layers
More information1. Diffie-Hellman Key Exchange
e-pgpathshala Subject : Computer Science Paper: Cryptography and Network Security Module: Diffie-Hellman Key Exchange Module No: CS/CNS/26 Quadrant 1 e-text Cryptography and Network Security Objectives
More informationCristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.
CS355: Cryptography Lecture 17: X509. PGP. Authentication protocols. Key establishment. Public Keys and Trust Public Key:P A Secret key: S A Public Key:P B Secret key: S B How are public keys stored How
More informationSession key establishment protocols
our task is to program a computer which gives answers which are subtly and maliciously wrong at the most inconvenient possible moment. -- Ross Anderson and Roger Needham, Programming Satan s computer Session
More informationSession key establishment protocols
our task is to program a computer which gives answers which are subtly and maliciously wrong at the most inconvenient possible moment. -- Ross Anderson and Roger Needham, Programming Satan s computer Session
More informationData Security and Privacy. Topic 14: Authentication and Key Establishment
Data Security and Privacy Topic 14: Authentication and Key Establishment 1 Announcements Mid-term Exam Tuesday March 6, during class 2 Need for Key Establishment Encrypt K (M) C = Encrypt K (M) M = Decrypt
More informationDr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010
Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Photuris and SKIP PHASE 1 IKE PHASE 2 IKE How is SA established? How do parties negotiate
More informationCS 395T. JFK Protocol in Applied Pi Calculus
CS 395T JFK Protocol in Applied Pi Calculus Proving Security Real protocol Process-calculus specification of the actual protocol Ideal protocol Achieves the same goal as the real protocol, but is secure
More informationSpring 2010: CS419 Computer Security
Spring 2010: CS419 Computer Security Vinod Ganapathy Lecture 7 Topic: Key exchange protocols Material: Class handout (lecture7_handout.pdf) Chapter 2 in Anderson's book. Today s agenda Key exchange basics
More informationKey Agreement Schemes
Key Agreement Schemes CSG 252 Lecture 9 November 25, 2008 Riccardo Pucella Key Establishment Problem PK cryptosystems have advantages over SK cryptosystems PKCs do not need a secure channel to establish
More informationNetwork Security - ISA 656 IPsec IPsec Key Management (IKE)
Network Security - ISA 656 IPsec IPsec (IKE) Angelos Stavrou September 28, 2008 What is IPsec, and Why? What is IPsec, and Why? History IPsec Structure Packet Layout Header (AH) AH Layout Encapsulating
More informationLecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena
Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall 2009 Nitesh Saxena *Adopted from a previous lecture by Gene Tsudik Course Admin HW3 Problem 3 due Friday midnight
More informationCSC 5930/9010 Modern Cryptography: Public Key Cryptography
CSC 5930/9010 Modern Cryptography: Public Key Cryptography Professor Henry Carter Fall 2018 Recap Number theory provides useful tools for manipulating integers and primes modulo a large value Abstract
More informationCIS 4360 Secure Computer Systems Applied Cryptography
CIS 4360 Secure Computer Systems Applied Cryptography Professor Qiang Zeng Spring 2017 Symmetric vs. Asymmetric Cryptography Symmetric cipher is much faster With asymmetric ciphers, you can post your Public
More informationKey Agreement. Guilin Wang. School of Computer Science, University of Birmingham
Key Agreement Guilin Wang School of Computer Science, University of Birmingham G.Wang@cs.bham.ac.uk 1 Motivations As we know, symmetric key encryptions are usually much more efficient than public key encryptions,
More informationThe Simplicity property is motivated by several factors. Efficiency is one; increased likelihood of correctness is another. But our motivation is espe
Efficient, DoS-Resistant, Secure Key Exchange for Internet Protocols William Aiello 1, Steven M. Bellovin 1, Matt Blaze 1, Ran Canetti 2, John Ioannidis 1, Angelos D. Keromytis 3, and Omer Reingold 1 1
More informationCS Computer Networks 1: Authentication
CS 3251- Computer Networks 1: Authentication Professor Patrick Traynor 4/14/11 Lecture 25 Announcements Homework 3 is due next class. Submit via T-Square or in person. Project 3 has been graded. Scores
More informationCryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1
Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography CS555 Spring 2012/Topic 16 1 Outline and Readings Outline Private key management between two parties Key management
More informationCS 161 Computer Security
Popa & Wagner Spring 2016 CS 161 Computer Security Discussion 5 Week of February 19, 2017 Question 1 Diffie Hellman key exchange (15 min) Recall that in a Diffie-Hellman key exchange, there are values
More informationApplied Cryptography and Computer Security CSE 664 Spring 2018
Applied Cryptography and Computer Security Lecture 13: Public-Key Cryptography and RSA Department of Computer Science and Engineering University at Buffalo 1 Public-Key Cryptography What we already know
More informationKey Establishment and Authentication Protocols EECE 412
Key Establishment and Authentication Protocols EECE 412 1 where we are Protection Authorization Accountability Availability Access Control Data Protection Audit Non- Repudiation Authentication Cryptography
More informationJust Fast Keying in the Pi Calculus
Just Fast Keying in the Pi Calculus Martín Abadi 1, Bruno Blanchet 2, and Cédric Fournet 3 1 University of California, Santa Cruz 2 CNRS, Département d Informatique, École Normale Supérieure, Paris and
More informationApplied Cryptography and Computer Security CSE 664 Spring 2017
Applied Cryptography and Computer Security Lecture 18: Key Distribution and Agreement Department of Computer Science and Engineering University at Buffalo 1 Key Distribution Mechanisms Secret-key encryption
More informationCSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography
CSCI 454/554 Computer and Network Security Topic 5.2 Public Key Cryptography Outline 1. Introduction 2. RSA 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard 2 Introduction Public Key Cryptography
More informationCIS 6930/4930 Computer and Network Security. Topic 8.2 Internet Key Management
CIS 6930/4930 Computer and Network Security Topic 8.2 Internet Key Management 1 Key Management Why do we need Internet key management AH and ESP require encryption and authentication keys Process to negotiate
More informationCSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L
CS 3461/5461: Introduction to Computer Networking and Internet Technologies Network Security Study: 21.1 21.5 Kannan Srinivasan 11-27-2012 Security Attacks, Services and Mechanisms Security Attack: Any
More informationComputer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08r. Pre-exam 2 Last-minute Review Cryptography Paul Krzyzanowski Rutgers University Spring 2018 March 26, 2018 CS 419 2018 Paul Krzyzanowski 1 Cryptographic Systems March 26, 2018 CS
More informationOutline. Login w/ Shared Secret: Variant 1. Login With Shared Secret: Variant 2. Login Only Authentication (One Way) Mutual Authentication
Outline Security Handshake Pitfalls (Chapter 11 & 12.2) Login Only Authentication (One Way) Login i w/ Shared Secret One-way Public Key Lamport s Hash Mutual Authentication Shared Secret Public Keys Timestamps
More informationOutline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA
CSCI 454/554 Computer and Network Security Topic 5.2 Public Key Cryptography 1. Introduction 2. RSA Outline 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard 2 Introduction Public Key Cryptography
More informationAuthentication Handshakes
AIT 682: Network and Systems Security Topic 6.2 Authentication Protocols Instructor: Dr. Kun Sun Authentication Handshakes Secure communication almost always includes an initial authentication handshake.
More informationPublic Key Algorithms
Public Key Algorithms 1 Public Key Algorithms It is necessary to know some number theory to really understand how and why public key algorithms work Most of the public key algorithms are based on modular
More informationOutline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)
Outline AIT 682: Network and Systems Security 1. Introduction 2. RSA 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard Topic 5.2 Public Key Cryptography Instructor: Dr. Kun Sun 2 Public Key
More informationCSC 474/574 Information Systems Security
CSC 474/574 Information Systems Security Topic 2.5 Public Key Algorithms CSC 474/574 Dr. Peng Ning 1 Public Key Algorithms Public key algorithms covered in this class RSA: encryption and digital signature
More informationCSC 474/574 Information Systems Security
CSC 474/574 Information Systems Security Topic 3.3: Security Handshake Pitfalls CSC 474/574 Dr. Peng Ning 1 Authentication Handshakes Secure communication almost always includes an initial authentication
More informationRefining Computationally Sound Mech. Proofs for Kerberos
Refining Computationally Sound Mechanized Proofs for Kerberos Bruno Blanchet Aaron D. Jaggard Jesse Rao Andre Scedrov Joe-Kai Tsay 07 October 2009 Protocol exchange Meeting Partially supported by ANR,
More informationA Derivation System for Security Protocols and its Logical Formalization
A Derivation System for Security Protocols and its Logical Formalization Anupam Datta Ante Derek John C. Mitchell Dusko Pavlovic Stanford University CSFW July 1, 2003 Kestrel Institute Contributions Protocol
More informationThe automatic security protocol verifier ProVerif
The automatic security protocol verifier ProVerif Bruno Blanchet CNRS, École Normale Supérieure, INRIA, Paris June 2010 Bruno Blanchet (CNRS, ENS, INRIA) ProVerif June 2010 1 / 43 Introduction Many techniques
More informationSecurity Handshake Pitfalls
Hello Challenge R f(k, R f(k, R Problems: 1. Authentication is not mutual only authenticates Anyone can send the challenge R. f(k, R Problems: 1. Authentication is not mutual only authenticates Anyone
More informationDavid Wetherall, with some slides from Radia Perlman s security lectures.
David Wetherall, with some slides from Radia Perlman s security lectures. djw@cs.washington.edu Networks are shared: Want to secure communication between legitimate participants from others with (passive
More informationModule: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security
CMPSC443 - Introduction to Computer and Network Security Module: Cryptographic Protocols Professor Patrick McDaniel Spring 2009 1 Key Distribution/Agreement Key Distribution is the process where we assign
More informationCS 6324: Information Security More Info on Key Establishment: RSA, DH & QKD
ERIK JONSSON SCHOOL OF ENGINEERING & COMPUTER SCIENCE Cyber Security Research and Education Institute CS 6324: Information Security Dr. Junia Valente Department of Computer Science The University of Texas
More informationLecture 20 Public key Crypto. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller and Bailey s ECE 422
Lecture 20 Public key Crypto Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller and Bailey s ECE 422 Review: Integrity Problem: Sending a message over an untrusted
More information6. Security Handshake Pitfalls Contents
Contents 1 / 45 6.1 Introduction 6.2 Log-in Only 6.3 Mutual Authentication 6.4 Integrity/Encryption of Data 6.5 Mediated Authentication (with KDC) 6.6 Bellovin-Merrit 6.7 Network Log-in and Password Guessing
More informationChapter 9 Public Key Cryptography. WANG YANG
Chapter 9 Public Key Cryptography WANG YANG wyang@njnet.edu.cn Content Introduction RSA Diffie-Hellman Key Exchange Introduction Public Key Cryptography plaintext encryption ciphertext decryption plaintext
More informationn-bit Output Feedback
n-bit Output Feedback Cryptography IV Encrypt Encrypt Encrypt P 1 P 2 P 3 C 1 C 2 C 3 Steven M. Bellovin September 16, 2006 1 Properties of Output Feedback Mode No error propagation Active attacker can
More information1 Identification protocols
ISA 562: Information Security, Theory and Practice Lecture 4 1 Identification protocols Now that we know how to authenticate messages using MACs, a natural question is, how can we use MACs to prove that
More informationCryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 38 A Tutorial on Network Protocols
More informationCS 395T. Formal Model for Secure Key Exchange
CS 395T Formal Model for Secure Key Exchange Main Idea: Compositionality Protocols don t run in a vacuum Security protocols are typically used as building blocks in a larger secure system For example,
More informationIssues. Separation of. Distributed system security. Security services. Security policies. Security mechanism
Module 9 - Security Issues Separation of Security policies Precise definition of which entities in the system can take what actions Security mechanism Means of enforcing that policy Distributed system
More informationKey Encryption as per T10/06-103
1 T10/06-144r0 Key Encryption as per T10/06-103 David L. Black (author) Jack Harwood (presenter) 2 Problem and Design Goals 05-446 only specifies encryption key transfer in clear Keys can be entirely too
More informationCryptography and Network Security Chapter 13. Digital Signatures & Authentication Protocols
Cryptography and Network Security Chapter 13 Digital Signatures & Authentication Protocols Digital Signatures have looked at message authentication but does not address issues of lack of trust digital
More informationSecurity Handshake Pitfalls
Security Handshake Pitfalls Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr 1 Cryptographic Authentication Password authentication is subject to eavesdropping Alternative: Cryptographic challenge-response
More informationUNIT III 3.1DISCRETE LOGARITHMS
UNIT III Discrete Logarithms Computing discrete logs Diffie-Hellman key exchange ElGamal Public key cryptosystems Hash functions Secure Hash - MD5 Digital signatures RSA ElGamal Digital signature scheme.
More informationElements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy
Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy Homework 2 Due: Friday, 10/28/2016 at 11:55pm PT Will be posted on
More informationA robust smart card-based anonymous user authentication protocol for wireless communications
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2014 A robust smart card-based anonymous user authentication
More informationPublic Key Algorithms
Public Key Algorithms CS 472 Spring 13 Lecture 6 Mohammad Almalag 2/19/2013 Public Key Algorithms - Introduction Public key algorithms are a motley crew, how? All hash algorithms do the same thing: Take
More informationVerifying Real-World Security Protocols from finding attacks to proving security theorems
Verifying Real-World Security Protocols from finding attacks to proving security theorems Karthik Bhargavan http://prosecco.inria.fr + many co-authors at INRIA, Microsoft Research, Formal security analysis
More informationCSC 774 Advanced Network Security
CSC 774 Advanced Network Security Topic 5 Group Key Management Dr. Peng Ning CSC 774 Adv. Net. Security 1 Group Communication A group consists of multiple members Messages sent by one sender are received
More informationKurose & Ross, Chapters (5 th ed.)
Kurose & Ross, Chapters 8.2-8.3 (5 th ed.) Slides adapted from: J. Kurose & K. Ross \ Computer Networking: A Top Down Approach (5 th ed.) Addison-Wesley, April 2009. Copyright 1996-2010, J.F Kurose and
More informationfor Compound Authentication
Verified Contributive Channel Bindings for Compound Authentication Antoine Delignat-Lavaud, Inria Paris Joint work with Karthikeyan Bhargavan and Alfredo Pironti Motivation: Authentication Composition
More informationIP Security IK2218/EP2120
IP Security IK2218/EP2120 Markus Hidell, mahidell@kth.se KTH School of ICT Based partly on material by Vitaly Shmatikov, Univ. of Texas Acknowledgements The presentation builds upon material from - Previous
More informationON REUSING EPHEMERAL KEYS IN DIFFIE-HELLMAN KEY AGREEMENT PROTOCOLS
ON REUSING EPHEMERAL KEYS IN DIFFIE-HELLMAN KEY AGREEMENT PROTOCOLS ALFRED MENEZES AND BERKANT USTAOGLU Abstract. A party may choose to reuse ephemeral public keys in a Diffie-Hellman key agreement protocol
More informationProofs for Key Establishment Protocols
Information Security Institute Queensland University of Technology December 2007 Outline Key Establishment 1 Key Establishment 2 3 4 Purpose of key establishment Two or more networked parties wish to establish
More informationPROTECTING CONVERSATIONS
PROTECTING CONVERSATIONS Basics of Encrypted Network Communications Naïve Conversations Captured messages could be read by anyone Cannot be sure who sent the message you are reading Basic Definitions Authentication
More informationPublic Key Algorithms
CSE597B: Special Topics in Network and Systems Security Public Key Cryptography Instructor: Sencun Zhu The Pennsylvania State University Public Key Algorithms Public key algorithms RSA: encryption and
More informationTECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 31 October 2017
Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 31 October 2017 Name : TU/e student number : Exercise 1 2 3 4 5 6 total points Notes: Please hand in this sheet at the end of the exam.
More informationElements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy
Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy Homework 3 Due: Monday, 11/28/2016 at 11:55pm PT Solution: Will be posted
More informationT Cryptography and Data Security
T-79.4501 Cryptography and Data Security Lecture 10: 10.1 Random number generation 10.2 Key management - Distribution of symmetric keys - Management of public keys Stallings: Ch 7.4; 7.3; 10.1 1 The Use
More informationInformation Security CS 526
Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication Topic 14: Secure Communication 1 Readings for This Lecture On Wikipedia Needham-Schroeder protocol (only the symmetric
More informationSecuring Internet Communication: TLS
Securing Internet Communication: TLS CS 161: Computer Security Prof. David Wagner March 11, 2016 Today s Lecture Applying crypto technology in practice Two simple abstractions cover 80% of the use cases
More informationExperimenting with early opportunistic key agreement
septembre 2002 SÉcurité des Communications sur Internet SECI02 Experimenting with early opportunistic key agreement Catharina Candolin ½ & Janne Lundberg ½ & Pekka Nikander ¾ 1: Laboratory for Theoretical
More informationSecurity Handshake Pitfalls
Cryptographic Authentication Security Handshake Pitfalls Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr Password authentication is subject to eavesdropping Alternative: Cryptographic challenge-response
More informationDigital Signatures. KG November 3, Introduction 1. 2 Digital Signatures 2
Digital Signatures KG November 3, 2017 Contents 1 Introduction 1 2 Digital Signatures 2 3 Hash Functions 3 3.1 Attacks.................................... 4 3.2 Compression Functions............................
More informationContents Digital Signatures Digital Signature Properties Direct Digital Signatures
Contents Digital Signatures... 197 Digital Signature Properties... 198 Direct Digital Signatures... 198 199...قابلداوری Arbitrated Digital Signatures Arbitrated Digital Signature Technaiques... 200 Authentication
More informationIntroduction to Cryptography Lecture 7
Introduction to Cryptography Lecture 7 Public-Key Encryption: El-Gamal, RSA Benny Pinkas page 1 1 Public key encryption Alice publishes a public key PK Alice. Alice has a secret key SK Alice. Anyone knowing
More informationPublic-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7
Public-Key Cryptography Professor Yanmin Gong Week 3: Sep. 7 Outline Key exchange and Diffie-Hellman protocol Mathematical backgrounds for modular arithmetic RSA Digital Signatures Key management Problem:
More informationSpring 2010: CS419 Computer Security
Spring 2010: CS419 Computer Security MAC, HMAC, Hash functions and DSA Vinod Ganapathy Lecture 6 Message Authentication message authentication is concerned with: protecting the integrity of a message validating
More informationData Communication Prof.A.Pal Dept of Computer Science & Engineering Indian Institute of Technology, Kharagpur Lecture - 40 Secured Communication - II
Data Communication Prof.A.Pal Dept of Computer Science & Engineering Indian Institute of Technology, Kharagpur Lecture - 40 Secured Communication - II Hello and welcome to today's lecture on secured communication.
More informationOutline. Key Management. Security Principles. Security Principles (Cont d) Escrow Foilage Protection
Outline CSCI 454/554 Computer and Network Security Topic 8.2 Internet Key Management Key Management Security Principles Internet Key Management Manual Exchange SKIP Oakley ISAKMP IKE 2 Key Management Why
More informationDr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010
CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Security Handshake Pitfalls Login only Mutual
More informationOutline. Key Management. CSCI 454/554 Computer and Network Security. Key Management
CSCI 454/554 Computer and Network Security Topic 8.2 Internet Key Management Key Management Outline Security Principles Internet Key Management Manual Exchange SKIP Oakley ISAKMP IKE 2 Key Management Why
More informationCSCI 454/554 Computer and Network Security. Topic 8.2 Internet Key Management
CSCI 454/554 Computer and Network Security Topic 8.2 Internet Key Management Outline Key Management Security Principles Internet Key Management Manual Exchange SKIP Oakley ISAKMP IKE 2 Key Management Why
More informationVirtual Private Networks
EN-2000 Reference Manual Document 8 Virtual Private Networks O ne of the principal features of routers is their support of virtual private networks (VPNs). This document discusses transmission security,
More informationDistributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015
Distributed Systems 26. Cryptographic Systems: An Introduction Paul Krzyzanowski Rutgers University Fall 2015 1 Cryptography Security Cryptography may be a component of a secure system Adding cryptography
More informationLecture 6.2: Protocols - Authentication and Key Exchange II. CS 436/636/736 Spring Nitesh Saxena. Course Admin
Lecture 6.2: Protocols - Authentication and Key II CS 436/636/736 Spring 2012 Nitesh Saxena Mid-Term Grading Course Admin Will be done over the break Scores will be posted online and graded exams distribute
More informationIntroduction to Cryptography Lecture 7
Introduction to Cryptography Lecture 7 El Gamal Encryption RSA Encryption Benny Pinkas page 1 1 Public key encryption Alice publishes a public key PK Alice. Alice has a secret key SK Alice. Anyone knowing
More informationPublic-key encipherment concept
Date: onday, October 21, 2002 Prof.: Dr Jean-Yves Chouinard Design of Secure Computer Systems CSI4138/CEG4394 Notes on Public Key Cryptography Public-key encipherment concept Each user in a secure communication
More informationIdeal Security Protocol. Identify Friend or Foe (IFF) MIG in the Middle 4/2/2012
Ideal Security Protocol Satisfies security requirements Requirements must be precise Efficient Small computational requirement Small bandwidth usage, network delays Not fragile Works when attacker tries
More informationCryptographic protocols
Cryptographic protocols Lecture 3: Zero-knowledge protocols for identification 6/16/03 (c) Jussipekka Leiwo www.ialan.com Overview of ZK Asymmetric identification techniques that do not rely on digital
More informationIntroduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell
Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell 1 Cryptography Merriam-Webster Online Dictionary: 1. secret writing 2. the enciphering and deciphering
More informationCSC/ECE 774 Advanced Network Security
Computer Science CSC/ECE 774 Advanced Network Security Topic 2. Network Security Primitives CSC/ECE 774 Dr. Peng Ning 1 Outline Absolute basics Encryption/Decryption; Digital signatures; D-H key exchange;
More informationThis chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest
1 2 3 This chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest PKCS, Diffie- Hellman key exchange. This first published
More informationIntroduction to IPsec. Charlie Kaufman
Introduction to IPsec Charlie Kaufman charliek@microsoft.com 1 IP Security (IPsec) IETF standard for Network Layer security Popular for creating trusted link (VPN), either firewall-firewall, or machine
More informationIPsec (AH, ESP), IKE. Guevara Noubir CSG254: Network Security
IPsec (AH, ESP), IKE Guevara Noubir noubir@ccs.neu.edu Securing Networks Control/Management (configuration) Applications Layer telnet/ftp: ssh, http: https, mail: PGP (SSL/TLS) Transport Layer (TCP) (IPSec,
More informationSecurity Protocol Verification: Symbolic and Computational Models
Security Protocol Verification: Symbolic and Computational Models Bruno Blanchet INRIA, École Normale Supérieure, CNRS Bruno.Blanchet@ens.fr March 2012 Bruno Blanchet (INRIA, ENS, CNRS) ETAPS March 2012
More informationIntroduction and Overview. Why CSCI 454/554?
Introduction and Overview CSCI 454/554 Why CSCI 454/554? Get Credits and Graduate Security is important More job opportunities More research funds 1 Workload Five homework assignments Two exams (open book
More information