Principles of Security Part 4: Authentication protocols Sections 1 and 2
|
|
- Susan Davis
- 6 years ago
- Views:
Transcription
1 Principles of Security Part 4: protocols Sections 1 and 2 Oxford Michaelmas Term 2008
2 Outline Basic ideas of authentication Challenge-Response Attacks What did we learn?
3 Outline Basic ideas of authentication What is the problem of authentication? Tools of authentication Challenge-Response Problem of authentication Tools Attacks What did we learn?
4 Recall from Lecture 1 Information security secrecy: "bad information flows don t happen" authenticity: "good information flows do happen" Problem of authentication Tools In network computation all information flow constraints are security properties
5 Recall terminology Information security confidentiality: "bad information flows don t... " integrity: "good information flows do... " Problem of authentication Tools Although not synonymous secrecy, confidentiality and privacy authenticity and integrity are often used interchanteably
6 Recall from Part 3 It is easy to generate a shared secret A νx B Problem of authentication Tools A to B:g x νy B to A:g y k AB =(g y ) x k AB =(g x ) y
7 Recall from Part 3 It is hard to know who is it shared with A M B νx A to B:g x Problem of authentication Tools B to A:gỹ ν x A to B:g x νỹ B to A:g y νy k AB =g xỹ g xỹ g xy AB k =g xy
8 Problem of authentication Problem of authentication Tools
9 Problem of authentication Problem of authentication Tools "There is no logical impossibility in the hypothesis that the world sprang into being five minutes ago, exactly as it then was, with a population that remembered a wholly unreal past." Bertrand Russell, The Analysis of Mind
10 Logics of authentication Derive global facts from local observations Problem of authentication Tools René Descartes: "I think, therefore I exist."
11 Tools of authentication You authenticate yourself by leveraging over: Problem of authentication Tools what you know: secrets, digital keys what you have: tokens, smart cards, physical keys what you are: biometric properties, handwriting
12 Tools of authentication You authenticate yourself by leveraging over: Problem of authentication Tools what you know: secrets, digital keys can be copied and given away what you have: tokens, smart cards, physical keys can be given away, but not copied what you are: biometric properties, handwriting cannot be given away, or copied
13 Tools of authentication In cyberspace 1 there are only messages... Problem of authentication you have no biometric properties no smart cards Tools you only know your secrets 1 space with no distance, inhabitants with no body, "Satan s computer"
14 Tools of authentication In cyberspace 1 there are only messages... Problem of authentication you have no biometric properties no smart cards Tools you only know your secrets... authentication is just responding to challenges you must prove that you know your secrets without disclosing all of them 1 space with no distance, inhabitants with no body, "Satan s computer"
15 Tools of authentication In cyberspace 1 there are only messages... Problem of authentication you have no biometric properties no smart cards Tools you only know your secrets... authentication is just responding to challenges you must prove that you know your secrets without disclosing all of them Everyone who knows all your secrets is you. 1 space with no distance, inhabitants with no body, "Satan s computer"
16 Outline Basic ideas of authentication Challenge-Response Challenge-Response protocols Basic implementations of CR Mutual authentication Server Example: protocol
17 First authentication protocol
18 First authentication protocol
19 First authentication protocol
20 The Challenge-Response Protocol Pattern A νx c AB x B r AB x
21 The Challenge-Response Protocol Pattern A νx B c AB x (r AB x)
22 The Challenge-Response Protocol Pattern A νx B c AB x ((c AB x)) (r AB x) r AB x
23 The Challenge-Response Protocol Pattern A νx B c AB x ((c AB x)) (r AB x) r AB x A : (νx) A c AB x A (r AB x) A ) = ((νx) A c AB x A ((c AB x)) B r AB x B (r AB x) A (cr)
24 The Challenge-Response Protocol Pattern Notation νx generate fresh nonce (into) x
25 The Challenge-Response Protocol Pattern Notation νx generate fresh nonce (into) x t send a message t t send a message containing t
26 The Challenge-Response Protocol Pattern Notation νx generate fresh nonce (into) x t send a message t t send a message containing t (t) receive a message (into) t ((t)) receive a message containing t
27 The Challenge-Response Protocol Pattern Notation νx generate fresh nonce (into) x t send a message t t send a message containing t (t) receive a message (into) t ((t)) receive a message containing t a Alice the action a is performed by Alice t Alice is the originator of t Alice
28 The Challenge-Response Protocol Pattern Remark For simplicity, we are glossing over some subtle details. E.g., Alice is often not capable to produce the term r AB x. How does she verify that she has received a valid response to her challenge?
29 The Challenge-Response Protocol Pattern Remark For simplicity, we are glossing over some subtle details. E.g., Alice is often not capable to produce the term r AB x. How does she verify that she has received a valid response to her challenge? She is given a verification algorithm V AB V AB (y, x) y = r AB x
30 The Challenge-Response Protocol Pattern Remark For simplicity, we are glossing over some subtle details. E.g., Alice is often not capable to produce the term r AB x. How does she verify that she has received a valid response to her challenge? She is given a verification algorithm V AB V AB (y, x) y = r AB x We shall soon see an instance of this.
31 Origination axiom A ((t))
32 Origination axiom A X t ((t))
33 Origination axiom A X t ((t)) A : ((t)) A = X. t X ((t)) A (rcv)
34 Freshness axiom A νx B a(x)
35 Freshness axiom A νx B A a(x)
36 Freshness axiom A νx x B A ((x)) a(x)
37 Freshness axiom A νx x B A ((x)) a(x) ( ((νx)a ) (νx) A x FV(a B ) = a B A B = ( (νx) A x A ((x)) B a B ) ) (new)
38 Challenge-Response with Signature (CRS 0 ) = (CR) [ c AB x = x, r AB x = S B x ] A νx x B V B (y,x) S B x y S B t = S B u = t = u (sig1) S B t X = X = B (sig2) V B (y, t) y = S B t (sig3)
39 Challenge-Response with Signature (CRS 0 ) = (CR) [ c AB x = x, r AB x = S B x ] Proposition (CRS) is an implementation of (CR), for A B.
40 Challenge-Response with Signature (CRS 0 ) = (CR) [ c AB x = x, r AB x = S B x ] Proposition (CRS) is an implementation of (CR), for A B. More precisely, if axioms (rcv) and (new) are satisfied, then (sig1) (sig2) (sig3) = (cr)[c AB x=x, r AB x=s B x] whenever A B.
41 Proof Suppose that Alice sees A νx x (y V B (y,x))
42 Proof Suppose that Alice sees A νx x (y V B (y,x)) where ( y V B (y, x) ) means that y passes the test V B (y, x).
43 Proof (continued) Since (sig3) tells V B (y, x) y = S B x, we have A νx x (S B x)
44 Proof (continued) By (rcv), everything that is received must have been sent. A νx Y x (S B x) S B x
45 Proof (continued)... and by (sig2), S B t Y = Y = B. A νx B x (S B x) S B x
46 Proof (continued) Since (sig1) implies x FV S B x, (new) implies A νx B x (S B x) S B x
47 Proof (completed)... and finally A B and the second part of (new) yield A νx B x ((x)) (S B x) S B x
48 Simple signature system Definition Given the types M of plaintexts S of signatures K of keys
49 Simple signature system Definition... a simple signature system is a triple of algorithms: key generation K S, K V :K K signing S :K M S, and verification V :K S M {0, 1}
50 Simple signature system Definition... that together provide signature verification: V(K V, s, m) s = S(K S, m) unforgeability: ( m. V(KV, A(m), m) ) = A(m) = S(K S, m) for all feasible attackers A :M S
51 Example of a simple signature system: RSA M =C=Z n, where n = pq, p, q prime K =Z ϕ(n) K S = d private key K V = d 1 modϕ(n) public key S(d, m) = m d mod n V(e, s, m) s e = m mod n
52 Probabilistic signature systems Remark While the signature verification condition defines the basic functionality of the signatures, the unforgeability condition is a logical approximation of the desired security.
53 Probabilistic signature systems Remark While the signature verification condition defines the basic functionality of the signatures, the unforgeability condition is a logical approximation of the desired security. Going beyond the simple signature systems, we refine the unforgeability condition to various probabilistic versions
54 Probabilistic signature systems Remark While the signature verification condition defines the basic functionality of the signatures, the unforgeability condition is a logical approximation of the desired security. Going beyond the simple signature systems, we refine the unforgeability condition to various probabilistic versions just like the trapdoor encryption condition on crypto systems was refined to the various notions of secrecy.
55 Example of a probabilistic signature system: El Gamal Fix a finite fieldfand g F. M =F S =F F K V (a) = g a K S (a) = a K =F F S(r, k, m) = g r, (m k g r ) r 1 R=F V(k, c 1, c 2,m) ( k c1 c c 2 1 = gm)
56 Example of a probabilistic signature system: El Gamal Fix a finite fieldfand g F. M =F S =F F K V (a) = g a K S (a) = a K =F F S(r, k, m) = g r, (m k g r ) r 1 R=F V(k, c 1, c 2,m) ( k c1 c c 2 1 = gm) Signature verification V(K V (a), S(r, K S (a), m), m) V(g a, S(r, a, m), m) V ( g a, g r, (m ag r )r 1, m ) ( g agr g r(m agr )r 1 = g m)
57 Signature systems Homework Prove that the RSA system satisfies the signature verification and the unforgeability conditions. Which assumptions do you need? Prove that the El Gamal system satisfies the signature verification condition. What is the role of the random seeds r Rin unforgeability?
58 CR with Public Key Encryption (CRE) = (CR) [ c AB x = E B (A.x), r AB x = x ] A νx E B (A.x) B x A : (νx) A E B t(x) A x X = X = A X = B (enc)
59 CR with Shared Key at the Input (CRKI) = (CR) [ c AB x = K AB (A.x), r AB x = x ] A νx K AB (A.x) B x K AB t = K AB u = t = u (hk1) K AB t X = X = A X = B (hk2) K AB = K BA (hk3)
60 CR with Shared Key at the Output (CRKO) = (CR) [ c AB x = x, r AB x = K AB (A.x) ] A νx x B K AB (A.x) K AB t = K AB u = t = u (hk1) K AB t X = X = A X = B (hk2) K AB = K BA (hk3)
61 Basic CR-implementations CR CRP CRK CRE CRS CRKI CRKO
62 Basic CR-implementations CR CRP CRK CRE CRS CRKI CRKO (The difference between (CRS) and (CRS 0 ) is discussed later.)
63 Mutual authentication To establish a session, Alice and Bob authenticate each other A B A B νx x S B x y νy S A y
64 Mutual authentication: (CRS 0 -seq)... and Bob responds eagerly... A B νx x y,s B x νy S A y
65 Mutual authentication: (CRS 0 -seq) 2... binding the two authentications together... A B νx x y,s B (x.y) νy S A (x.y) 2 This protocol is better known as (ISO ).
66 Mutual authentication: (CRS 0 -nest)... or Bob may respond lazily... A B A B νx x y νy S A y S B x
67 Mutual authentication: (CRS 0 -nest)... first authenticates Alice... A B νx x y S A y νy S B x
68 Mutual authentication: (CRS 0 -nest)... but the two authentications still need to be bound together. A B νx x y S A (x.y) νy S B (x.y)
69 Formalizing mutual authentication conversation records We say that a protocol realizes mutual authentication if each of the participants can prove all participants send and receive actions
70 Formalizing mutual authentication conversation records We say that a protocol realizes mutual authentication if each of the participants can prove all participants send and receive actions except the last send-receive pair
71 Formalizing mutual authentication conversation records We say that a protocol realizes mutual authentication if each of the participants can prove all participants send and receive actions except the last send-receive pair and all principals views of the content of the messages sent and received, and the ordering in which they were sent and received coincide (i.e. match).
72 Formalizing mutual authentication Remark Suppose that Alice s and Bob s views of their conversation match. This implies that their view of their conversation is true, because Alice s view of what she said is true, and Bob s view of what he said is true, and therefore if Alice s view of what Bob said matches Bob s view of Bob said, then Alice s view of what Bob said is true. Ditto for Bob.
73 conversations in (CRS 0 -nest) Proposition Protocol (CRS 0 -nest) realizes mutual authentication
74 conversations in (CRS 0 -nest) Proposition Protocol (CRS 0 -nest) realizes mutual authentication, provided that both principals are honest.
75 conversations in (CRS 0 -nest) Proposition Protocol (CRS 0 -nest) realizes mutual authentication, provided that both principals are honest. Formal notion of honesty We say that a principal in a protocol is honest within a protocol if she acts according to the protocol.
76 conversations in (CRS 0 -nest) Proposition Protocol (CRS 0 -nest) realizes mutual authentication, provided that both principals are honest. Formal notion of honesty We say that a principal in a protocol is honest within a protocol if she acts according to the protocol. This means that she only performs her actions in the prescribed order, and with the prescribed data.
77 conversations in (CRS 0 -nest): Alice Initially, Alice only sees her own actions: A νx B x (u) S A (x.u) (S B (x.u))
78 conversations in (CRS 0 -nest): Alice By (cr) [ c AB = id, r AB = S B] (proved earlier) A νx B x (u) ((x)) S A (x.u) (S B (x.u)) S B (x.u)
79 conversations in (CRS 0 -nest): Alice But Bob is honest, so he only sends S B (x.y) for a fresh y A B νx x (u) νy y B honest (x) S A (x.u) (S B (x.u)) (sig1) (u=y) (S A (x.y)) S B (x.y)
80 conversations in (CRS 0 -nest): Alice By (rcv), someone must have sent u A νx B x (u) (rcv) u Y νy y B honest (x) S A (x.u) (S B (x.u)) (sig1) (u=y) (S A (x.y)) S B (x.y)
81 conversations in (CRS 0 -nest): Alice Finally, using u = y, derived before, Alice concludes A B νx x νy (x) (u) (rcv) u Y (u=y) (new) y B honest S A (x.u) (S B (x.u)) (u=y) (sig1) (u=y) (S A (x.y)) S B (x.y)
82 conversations in (CRS 0 -nest): Alice Alice has derived the ordering of her and Bob s actions: A νx B x (u) u Y νy y (x) S A (x.u) (S B (x.u)) (S A (x.y)) S B (x.y)
83 conversations in (CRS 0 -nest): Bob Initially, Bob only sees his own actions: A B (v) νy y (S A (v.y)) S B (v.y)
84 conversations in (CRS 0 -nest): Bob By the (cr)-axiom, he concludes that Alice must be on-line. A B (v) νy ((y)) y S A (v.y) (S A (v.y)) S B (v.y)
85 conversations in (CRS 0 -nest): Bob Since she is honest, she acted according to the protocol: A νx B x A honest A honest (v) νy (y) ((y)) y A honest S A (x.y) S A (v.y) (sig1) (x=v) (S A (v.y)) S B (v.y)
86 conversations in (CRS 0 -nest): Bob By (rcv), someone must have sent the first message. A νx B A honest x v X (rcv) (v) A honest νy (y) ((y)) y A honest S A (x.y) S A (v.y) (sig1) (x=v) (S A (v.y)) S B (v.y)
87 conversations in (CRS 0 -nest): Bob By (sig1) and (new), that must have been Alice. A νx B A honest x (x=v) (new) v X (rcv) (v) A honest νy (y) ((y)) y A honest S A (x.y) S A (v.y) (sig1) (x=v) (S A (v.y)) S B (v.y)
88 conversations in (CRS 0 -nest): Bob Bob has derived the total order of his and Alice s actions. A νx B x v X (v) νy (y) ((y)) y S A (x.y) S A (v.y) (S A (v.y)) S B (v.y)
89 conversations in (CRS 0 -nest) Both Alice and Bob have thus recorded the following conversation (νx) A < x A < (x) B < (νy) B < y B < (y) A < S A (x.y) A <( S A (x.y) ) B < S B (x.y) B Their records match, and the mutual authentication is achieved.
90 Mutual authentication by (CRE) Homework Compose two instances of the (CRE) protocol, to build a protocol (CRE-seq) for mutual authentication. Analyze the difference between (CRE-seq) and the (NSPK) protocol, introduced in Sec. 5 of Part 3? Is (CRE-seq) vulnerable to the same attack as (NSPK)?
91 Mutual authentication by (CRK)? The main shortcoming of both (CRKO) and (CRKI) protocols is that Alice and Bob are required to share a secret k AB to run these protocols.
92 Mutual authentication by (CRK)? The main shortcoming of both (CRKO) and (CRKI) protocols is that Alice and Bob are required to share a secret k AB to run these protocols. This defeats the purpose of authentication, because generating a shared secret k AB is usually the whole point.
93 Server An Server S shares a symmetric key k BS with every principal B.
94 Server An Server S shares a symmetric key k BS with every principal B. service proceeds as follows A authenticates S, using K AS m = E(k AS, m) S authenticates B using K BS m = E(k BS, m) if S is honest, then A thus authenticates B.
95 services CRKI A B νx K AB (A.x) x
96 services CRKII A S B νx K AS (B.x) K BS (A.x) x
97 services CRKIO A S B νx K AS (B.x) ) K (A.K BS AS (B.x) x
98 services CRKO A νx B x K AB (A.x)
99 services CRKOI A S B νx x ) K (A.K BS AS (B.x) K AS (B.x)
100 services CRKOO A S B νx x K BS (A.x) K AS (B.x)
101 Towards the protocol Component 1: CRKOO A S B νx x K BS (A.x) K AS (B.x)
102 Towards the protocol Component 2: CRKII A S B K BS (A.y) νy K AS (B.y) y
103 Towards the protocol Step 3: Composition A S B νx x νy K BS (A.x),K BS (A.y) K AS (B.x),K AS (B.y) y
104 Towards the protocol Step 4: Binding A S B νx x νy K BS (A.x.y) K AS (B.x.y) y
105 Towards the protocol Step 5: Key distribution A S B νx x νy K BS (A.x.y) K AS (B.z.x.y), K BS (A.z) u, v νz y,v
106 protocol Step 5: Key confirmation A S B νx x νy K BS (A.x.y) K AS (B.z.x.y), K BS (A.z) u, v νz K AB (y),v K AB (m)=e(z,m)
107 Outline Basic ideas of authentication Challenge-Response Attacks What did we learn?
108 Outline Basic ideas of authentication Challenge-Response Attacks What did we learn?
Principles of Security Part 4: Authentication protocols Sections 3 and 4
Principles of Security Part 4: protocols Sections 3 and 4 Oxford Michaelmas Term 2008 Outline asic ideas of authentication Challenge-Response ttacks What did we learn? Outline asic ideas of authentication
More informationKey Establishment and Authentication Protocols EECE 412
Key Establishment and Authentication Protocols EECE 412 1 where we are Protection Authorization Accountability Availability Access Control Data Protection Audit Non- Repudiation Authentication Cryptography
More informationCS 161 Computer Security
Popa & Wagner Spring 2016 CS 161 Computer Security Discussion 5 Week of February 19, 2017 Question 1 Diffie Hellman key exchange (15 min) Recall that in a Diffie-Hellman key exchange, there are values
More informationIntroduction to Cryptography Lecture 7
Introduction to Cryptography Lecture 7 El Gamal Encryption RSA Encryption Benny Pinkas page 1 1 Public key encryption Alice publishes a public key PK Alice. Alice has a secret key SK Alice. Anyone knowing
More informationPublic-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7
Public-Key Cryptography Professor Yanmin Gong Week 3: Sep. 7 Outline Key exchange and Diffie-Hellman protocol Mathematical backgrounds for modular arithmetic RSA Digital Signatures Key management Problem:
More informationSpring 2010: CS419 Computer Security
Spring 2010: CS419 Computer Security Vinod Ganapathy Lecture 7 Topic: Key exchange protocols Material: Class handout (lecture7_handout.pdf) Chapter 2 in Anderson's book. Today s agenda Key exchange basics
More informationECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos
ECE596C: Handout #9 Authentication Using Shared Secrets Electrical and Computer Engineering, University of Arizona, Loukas Lazos Abstract. In this lecture we introduce the concept of authentication and
More informationModule: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security
CMPSC443 - Introduction to Computer and Network Security Module: Cryptographic Protocols Professor Patrick McDaniel Spring 2009 1 Key Distribution/Agreement Key Distribution is the process where we assign
More informationBAN Logic. Logic of Authentication 1. BAN Logic. Source. The language of BAN. The language of BAN. Protocol 1 (Needham-Schroeder Shared-Key) [NS78]
Logic of Authentication 1. BAN Logic Ravi Sandhu BAN Logic BAN is a logic of belief. In an analysis, the protocol is first idealized into messages containing assertions, then assumptions are stated, and
More informationKey Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature
Key Management Digital signatures: classical and public key Classic and Public Key exchange 1 Handwritten Signature Used everyday in a letter, on a check, sign a contract A signature on a signed paper
More informationComputer Networks & Security 2016/2017
Computer Networks & Security 2016/2017 Network Security Protocols (10) Dr. Tanir Ozcelebi Courtesy: Jerry den Hartog Courtesy: Kurose and Ross TU/e Computer Science Security and Embedded Networked Systems
More informationChapter 9: Key Management
Chapter 9: Key Management Session and Interchange Keys Key Exchange Cryptographic Key Infrastructure Storing and Revoking Keys Digital Signatures Slide #9-1 Overview Key exchange Session vs. interchange
More informationDiffie-Hellman. Part 1 Cryptography 136
Diffie-Hellman Part 1 Cryptography 136 Diffie-Hellman Invented by Williamson (GCHQ) and, independently, by D and H (Stanford) A key exchange algorithm o Used to establish a shared symmetric key Not for
More informationCryptographic Protocols 1
Cryptographic Protocols 1 Luke Anderson luke@lukeanderson.com.au 5 th May 2017 University Of Sydney Overview 1. Crypto-Bulletin 2. Problem with Diffie-Hellman 2.1 Session Hijacking 2.2 Encrypted Key Exchange
More informationT Cryptography and Data Security
T-79.4501 Cryptography and Data Security Lecture 10: 10.1 Random number generation 10.2 Key management - Distribution of symmetric keys - Management of public keys Stallings: Ch 7.4; 7.3; 10.1 1 The Use
More informationLecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena
Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall 2009 Nitesh Saxena *Adopted from a previous lecture by Gene Tsudik Course Admin HW3 Problem 3 due Friday midnight
More information1 A Tale of Two Lovers
CS 120/ E-177: Introduction to Cryptography Salil Vadhan and Alon Rosen Dec. 12, 2006 Lecture Notes 19 (expanded): Secure Two-Party Computation Recommended Reading. Goldreich Volume II 7.2.2, 7.3.2, 7.3.3.
More informationIdeal Security Protocol. Identify Friend or Foe (IFF) MIG in the Middle 4/2/2012
Ideal Security Protocol Satisfies security requirements Requirements must be precise Efficient Small computational requirement Small bandwidth usage, network delays Not fragile Works when attacker tries
More informationElements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy
Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy Homework 2 Due: Friday, 10/28/2016 at 11:55pm PT Will be posted on
More informationCSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography
CSCI 454/554 Computer and Network Security Topic 5.2 Public Key Cryptography Outline 1. Introduction 2. RSA 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard 2 Introduction Public Key Cryptography
More informationOutline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA
CSCI 454/554 Computer and Network Security Topic 5.2 Public Key Cryptography 1. Introduction 2. RSA Outline 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard 2 Introduction Public Key Cryptography
More informationSecure Multiparty Computation
CS573 Data Privacy and Security Secure Multiparty Computation Problem and security definitions Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation
More informationASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1
ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters
More informationSecurity protocols and their verification. Mark Ryan University of Birmingham
Security protocols and their verification Mark Ryan University of Birmingham Contents 1. Authentication protocols (this lecture) 2. Electronic voting protocols 3. Fair exchange protocols 4. Digital cash
More informationChapter 9 Public Key Cryptography. WANG YANG
Chapter 9 Public Key Cryptography WANG YANG wyang@njnet.edu.cn Content Introduction RSA Diffie-Hellman Key Exchange Introduction Public Key Cryptography plaintext encryption ciphertext decryption plaintext
More informationOutline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)
Outline AIT 682: Network and Systems Security 1. Introduction 2. RSA 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard Topic 5.2 Public Key Cryptography Instructor: Dr. Kun Sun 2 Public Key
More information(More) cryptographic protocols
(More) cryptographic protocols Myrto Arapinis School of Informatics University of Edinburgh October 19, 2017 1/24 Authentication and key agreement protocols 2/24 Authentication and key agreement Long-term
More informationProtocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh
Protocols II Computer Security Lecture 12 David Aspinall School of Informatics University of Edinburgh 17th February 2011 Outline Introduction Shared-key Authentication Asymmetric authentication protocols
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 4, 2017 CPSC 467, Lecture 11 1/39 ElGamal Cryptosystem Message Integrity and Authenticity Message authentication codes
More informationCS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong
CS573 Data Privacy and Security Cryptographic Primitives and Secure Multiparty Computation Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation
More informationASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1
ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters
More informationCS 161 Computer Security
Paxson Spring 2013 CS 161 Computer Security 3/14 Asymmetric cryptography Previously we saw symmetric-key cryptography, where Alice and Bob share a secret key K. However, symmetric-key cryptography can
More informationCS 395T. Formal Model for Secure Key Exchange
CS 395T Formal Model for Secure Key Exchange Main Idea: Compositionality Protocols don t run in a vacuum Security protocols are typically used as building blocks in a larger secure system For example,
More informationCryptography III Want to make a billion dollars? Just factor this one number!
Cryptography III Want to make a billion dollars? Just factor this one number! 3082010a0282010100a3d56cf0bf8418d66f400be31c3f22036ca9f5cf01ef614de2eb9a1cd74a0c344b5a20d5f80df9a23c89 10c354821aa693432a61bd265ca70f309d56535a679d68d7ab89f9d32c47c1182e8a14203c050afd5f1831e5550e8700e008f2
More informationOther Topics in Cryptography. Truong Tuan Anh
Other Topics in Cryptography Truong Tuan Anh 2 Outline Public-key cryptosystem Cryptographic hash functions Signature schemes Public-Key Cryptography Truong Tuan Anh CSE-HCMUT 4 Outline Public-key cryptosystem
More informationProofs for Key Establishment Protocols
Information Security Institute Queensland University of Technology December 2007 Outline Key Establishment 1 Key Establishment 2 3 4 Purpose of key establishment Two or more networked parties wish to establish
More informationReal-time protocol. Chapter 16: Real-Time Communication Security
Chapter 16: Real-Time Communication Security Mohammad Almalag Dept. of Computer Science Old Dominion University Spring 2013 1 Real-time protocol Parties negotiate interactively (Mutual) Authentication
More informationCS 494/594 Computer and Network Security
CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Real-Time Communication Security Network layers
More informationKurose & Ross, Chapters (5 th ed.)
Kurose & Ross, Chapters 8.2-8.3 (5 th ed.) Slides adapted from: J. Kurose & K. Ross \ Computer Networking: A Top Down Approach (5 th ed.) Addison-Wesley, April 2009. Copyright 1996-2010, J.F Kurose and
More informationCS Computer Networks 1: Authentication
CS 3251- Computer Networks 1: Authentication Professor Patrick Traynor 4/14/11 Lecture 25 Announcements Homework 3 is due next class. Submit via T-Square or in person. Project 3 has been graded. Scores
More informationAuth. Key Exchange. Dan Boneh
Auth. Key Exchange Review: key exchange Alice and want to generate a secret key Saw key exchange secure against eavesdropping Alice k eavesdropper?? k This lecture: Authenticated Key Exchange (AKE) key
More informationEncryption. INST 346, Section 0201 April 3, 2018
Encryption INST 346, Section 0201 April 3, 2018 Goals for Today Symmetric Key Encryption Public Key Encryption Certificate Authorities Secure Sockets Layer Simple encryption scheme substitution cipher:
More informationCrypto-systems all around us ATM machines Remote logins using SSH Web browsers (https invokes Secure Socket Layer (SSL))
Introduction (Mihir Bellare Text/Notes: http://cseweb.ucsd.edu/users/mihir/cse207/) Cryptography provides: Data Privacy Data Integrity and Authenticity Crypto-systems all around us ATM machines Remote
More informationChapter 9. Public Key Cryptography, RSA And Key Management
Chapter 9 Public Key Cryptography, RSA And Key Management RSA by Rivest, Shamir & Adleman of MIT in 1977 The most widely used public-key cryptosystem is RSA. The difficulty of attacking RSA is based on
More informationICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification
ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification Hossen Asiful Mustafa Introduction Entity Authentication is a technique designed to let one party prove the identity of another
More informationElements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy
Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy Homework 3 Due: Monday, 11/28/2016 at 11:55pm PT Solution: Will be posted
More informationCryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1
Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography CS555 Spring 2012/Topic 16 1 Outline and Readings Outline Private key management between two parties Key management
More informationח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms
Public Key Cryptography Kurose & Ross, Chapters 8.28.3 (5 th ed.) Slides adapted from: J. Kurose & K. Ross \ Computer Networking: A Top Down Approach (5 th ed.) AddisonWesley, April 2009. Copyright 19962010,
More informationLogic of Authentication
Logic of Authentication Dennis Kafura Derived from materials authored by: Burrows, Abadi, Needham 1 Goals and Scope Goals develop a formalism to reason about authentication protocols uses determine guarantees
More informationOther Uses of Cryptography. Cryptography Goals. Basic Problem and Terminology. Other Uses of Cryptography. What Can Go Wrong? Why Do We Need a Key?
ryptography Goals Protect private communication in the public world and are shouting messages over a crowded room no one can understand what they are saying 1 Other Uses of ryptography Authentication should
More informationSecurity protocols. Correctness of protocols. Correctness of protocols. II. Logical representation and analysis of protocols.i
Security protocols Logical representation and analysis of protocols.i A security protocol is a set of rules, adhered to by the communication parties in order to ensure achieving various security or privacy
More informationCS 395T. Analyzing SET with Inductive Method
CS 395T Analyzing SET with Inductive Method Theorem Proving for Protocol Analysis Prove correctness instead of looking for bugs Use higher-order logic to reason about all possible protocol executions No
More informationCS 161 Computer Security
Paxson Spring 2017 CS 161 Computer Security Discussion 6 Week of March 6, 2017 Question 1 Password Hashing (10 min) When storing a password p for user u, a website randomly generates a string s (called
More informationElements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy
Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy Homework 3 Due: Monday, 11/28/2016 at 11:55pm PT Solution: Will be posted
More informationFormal Methods for Assuring Security of Computer Networks
for Assuring of Computer Networks May 8, 2012 Outline Testing 1 Testing 2 Tools for formal methods Model based software development 3 Principals of security Key security properties Assessing security protocols
More informationCSC 474/574 Information Systems Security
CSC 474/574 Information Systems Security Topic 2.5 Public Key Algorithms CSC 474/574 Dr. Peng Ning 1 Public Key Algorithms Public key algorithms covered in this class RSA: encryption and digital signature
More informationCIS 4360 Secure Computer Systems Applied Cryptography
CIS 4360 Secure Computer Systems Applied Cryptography Professor Qiang Zeng Spring 2017 Symmetric vs. Asymmetric Cryptography Symmetric cipher is much faster With asymmetric ciphers, you can post your Public
More informationA Derivation System for Security Protocols and its Logical Formalization
A Derivation System for Security Protocols and its Logical Formalization Anupam Datta Ante Derek John C. Mitchell Dusko Pavlovic Stanford University CSFW July 1, 2003 Kestrel Institute Contributions Protocol
More informationCS 161 Computer Security
Raluca Popa Spring 2018 CS 161 Computer Security Homework 2 Due: Wednesday, February 14, at 11:59pm Instructions. This homework is due Wednesday, February 14, at 11:59pm. No late homeworks will be accepted.
More informationCryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology
Cryptography & Key Exchange Protocols Faculty of Computer Science & Engineering HCMC University of Technology Outline 1 Cryptography-related concepts 2 3 4 5 6 7 Key channel for symmetric cryptosystems
More informationCryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 38 A Tutorial on Network Protocols
More informationOutline More Security Protocols CS 239 Computer Security February 4, 2004
Outline More Security Protocols CS 239 Computer Security February 4, 2004 Combining key distribution and authentication Verifying security protocols Page 1 Page 2 Combined Key Distribution and Authentication
More informationCSE 127: Computer Security Cryptography. Kirill Levchenko
CSE 127: Computer Security Cryptography Kirill Levchenko October 24, 2017 Motivation Two parties want to communicate securely Secrecy: No one else can read messages Integrity: messages cannot be modified
More informationOutline More Security Protocols CS 239 Computer Security February 6, 2006
Outline More Security Protocols CS 239 Computer Security February 6, 2006 Combining key distribution and authentication Verifying security protocols Page 1 Page 2 Combined Key Distribution and Authentication
More informationEncryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls
Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls Overview Cryptography functions Secret key (e.g., DES) Public key (e.g., RSA) Message
More information1 Identification protocols
ISA 562: Information Security, Theory and Practice Lecture 4 1 Identification protocols Now that we know how to authenticate messages using MACs, a natural question is, how can we use MACs to prove that
More informationLecture 15: Public Key Encryption: I
CSE 594 : Modern Cryptography 03/28/2017 Lecture 15: Public Key Encryption: I Instructor: Omkant Pandey Scribe: Arun Ramachandran, Parkavi Sundaresan 1 Setting In Public-key Encryption (PKE), key used
More informationSession key establishment protocols
our task is to program a computer which gives answers which are subtly and maliciously wrong at the most inconvenient possible moment. -- Ross Anderson and Roger Needham, Programming Satan s computer Session
More informationCSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong, Spring and 6 February 2018
CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong, Spring 2018 5 and 6 February 2018 Identification schemes are mechanisms for Alice to prove her identity to Bob They comprise a setup
More informationFall 2005 Joseph/Tygar/Vazirani/Wagner Final
CS 161 Computer Security Fall 2005 Joseph/Tygar/Vazirani/Wagner Final PRINT your name:, (last) SIGN your name: (first) PRINT your Unix account name: PRINT your TA s name: You may consult any books, notes,
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 7 January 30, 2012 CPSC 467b, Lecture 7 1/44 Public-key cryptography RSA Factoring Assumption Computing with Big Numbers Fast Exponentiation
More informationSession key establishment protocols
our task is to program a computer which gives answers which are subtly and maliciously wrong at the most inconvenient possible moment. -- Ross Anderson and Roger Needham, Programming Satan s computer Session
More informationLecture 8 - Message Authentication Codes
Lecture 8 - Message Authentication Codes Benny Applebaum, Boaz Barak October 12, 2007 Data integrity Until now we ve only been interested in protecting secrecy of data. However, in many cases what we care
More informationCryptography: More Primitives
Design and Analysis of Algorithms May 8, 2015 Massachusetts Institute of Technology 6.046J/18.410J Profs. Erik Demaine, Srini Devadas and Nancy Lynch Recitation 11 Cryptography: More Primitives 1 Digital
More informationAuthentication. Strong Password Protocol. IT352 Network Security Najwa AlGhamdi
Authentication Strong Password Protocol 1 Strong Password Protocol Scenario : Alice uses any workstation to log to the server B, using a password to authenticate her self. Various way to do that? Use Ur
More informationComputer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08r. Pre-exam 2 Last-minute Review Cryptography Paul Krzyzanowski Rutgers University Spring 2018 March 26, 2018 CS 419 2018 Paul Krzyzanowski 1 Cryptographic Systems March 26, 2018 CS
More informationInformation Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1
Information Security message M one-way hash fingerprint f = H(M) 4/19/2006 Information Security 1 Outline and Reading Digital signatures Definition RSA signature and verification One-way hash functions
More informationA Derivation System for Security Protocols and its Logical Formalization
A Derivation System for Security Protocols and its Logical Formalization Anupam Datta Ante Derek John C. Mitchell Dusko Pavlovic Computer Science Dept. Kestrel Institute Stanford University Palo Alto,
More informationWinter 2018 CS134: Computer and Network Security Homework 2 Due: 02/26/18, 11:59pm
Winter 2018 CS134: Computer and Network Security Homework 2 Due: 02/26/18, 11:59pm Full Name: UCI ID Number: Sources: Guidelines: Use any word processor. Write your Name, UCInetID and Student ID on each
More informationRSA. Public Key CryptoSystem
RSA Public Key CryptoSystem DIFFIE AND HELLMAN (76) NEW DIRECTIONS IN CRYPTOGRAPHY Split the Bob s secret key K to two parts: K E, to be used for encrypting messages to Bob. K D, to be used for decrypting
More informationDigital Signatures. Public-Key Signatures. Arbitrated Signatures. Digital Signatures With Encryption. Terminology. Message Authentication Code (MAC)
Message Authentication Code (MAC) Key-dependent one-way hash function Only someone with a correct key can verify the hash value Easy way to turn one-way hash function into MAC is to encrypt hash value
More informationInformation Security CS 526
Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication Topic 14: Secure Communication 1 Readings for This Lecture On Wikipedia Needham-Schroeder protocol (only the symmetric
More informationDigital Signatures. KG November 3, Introduction 1. 2 Digital Signatures 2
Digital Signatures KG November 3, 2017 Contents 1 Introduction 1 2 Digital Signatures 2 3 Hash Functions 3 3.1 Attacks.................................... 4 3.2 Compression Functions............................
More informationGrenzen der Kryptographie
Microsoft Research Grenzen der Kryptographie Dieter Gollmann Microsoft Research 1 Summary Crypto does not solve security problems Crypto transforms security problems Typically, the new problems relate
More informationCS3235 Seventh set of lecture slides
CS3235 Seventh set of lecture slides Hugh Anderson National University of Singapore School of Computing October, 2007 Hugh Anderson CS3235 Seventh set of lecture slides 1 Warp 9... Outline 1 Public Key
More informationLecture 10, Zero Knowledge Proofs, Secure Computation
CS 4501-6501 Topics in Cryptography 30 Mar 2018 Lecture 10, Zero Knowledge Proofs, Secure Computation Lecturer: Mahmoody Scribe: Bella Vice-Van Heyde, Derrick Blakely, Bobby Andris 1 Introduction Last
More information18733: Applied Cryptography Anupam Datta (CMU) Basic key exchange. Dan Boneh
18733: Applied Cryptography Anupam Datta (CMU) Basic key exchange Online Cryptography Course Basic key exchange Trusted 3 rd parties Key management Problem: n users. Storing mutual secret keys is difficult
More informationIntroduction to Cryptography Lecture 7
Introduction to Cryptography Lecture 7 Public-Key Encryption: El-Gamal, RSA Benny Pinkas page 1 1 Public key encryption Alice publishes a public key PK Alice. Alice has a secret key SK Alice. Anyone knowing
More informationLecture 6.2: Protocols - Authentication and Key Exchange II. CS 436/636/736 Spring Nitesh Saxena. Course Admin
Lecture 6.2: Protocols - Authentication and Key II CS 436/636/736 Spring 2012 Nitesh Saxena Mid-Term Grading Course Admin Will be done over the break Scores will be posted online and graded exams distribute
More informationApplied Cryptography and Computer Security CSE 664 Spring 2017
Applied Cryptography and Computer Security Lecture 18: Key Distribution and Agreement Department of Computer Science and Engineering University at Buffalo 1 Key Distribution Mechanisms Secret-key encryption
More informationDigital Signatures. Luke Anderson. 7 th April University Of Sydney.
Digital Signatures Luke Anderson luke@lukeanderson.com.au 7 th April 2017 University Of Sydney Overview 1. Digital Signatures 1.1 Background 1.2 Basic Operation 1.3 Attack Models Replay Naïve RSA 2. PKCS#1
More informationAuthentication and Key Distribution
1 Alice and Bob share a key How do they determine that they do? Challenge-response protocols 2 How do they establish the shared secret in the first place? Key distribution PKI, Kerberos, Other key distribution
More informationComputer Security Course. Public Key Crypto. Slides credit: Dan Boneh
Computer Security Course. Dawn Song Public Key Crypto Slides credit: Dan Boneh Administra>ve Issues Security is a fast- changing field We cover a broad spectrum of areas in computer security Hence, there
More informationCS 161 Computer Security
Popa & Wagner Spring 2016 CS 161 Computer Security Midterm 2 Print your name:, (last) (first) I am aware of the Berkeley Campus Code of Student Conduct and acknowledge that academic misconduct will be
More informationIntroduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell
Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell 1 Cryptography Merriam-Webster Online Dictionary: 1. secret writing 2. the enciphering and deciphering
More informationCryptography V: Digital Signatures
Cryptography V: Digital Signatures Computer Security Lecture 10 David Aspinall School of Informatics University of Edinburgh 10th February 2011 Outline Basics Constructing signature schemes Security of
More informationPUBLIC KEY CRYPTO. Anwitaman DATTA SCSE, NTU Singapore CX4024. CRYPTOGRAPHY & NETWORK SECURITY 2018, Anwitaman DATTA
PUBLIC KEY CRYPTO Anwitaman DATTA SCSE, NTU Singapore Acknowledgement: The following lecture slides are based on, and uses material from the text book Cryptography and Network Security (various eds) by
More information0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken
0/41 Alice Who? Authentication Protocols Andreas Zeller/Stephan Neuhaus Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken The Menu 1/41 Simple Authentication Protocols The Menu 1/41 Simple
More informationHomework 1 CS161 Computer Security, Spring 2008 Assigned 2/4/08 Due 2/13/08
Homework 1 CS161 Computer Security, Spring 2008 Assigned 2/4/08 Due 2/13/08 This homework assignment is due Wednesday, February 13 at the beginning of lecture. Please bring a hard copy to class; either
More informationSECURITY IN NETWORKS
SECURITY IN NETWORKS GOALS Understand principles of network security: Cryptography and its many uses beyond con dentiality Authentication Message integrity WHAT IS NETWORK SECURITY? Con dentiality: only
More information