Principles of Security Part 4: Authentication protocols Sections 1 and 2

Size: px
Start display at page:

Download "Principles of Security Part 4: Authentication protocols Sections 1 and 2"

Transcription

1 Principles of Security Part 4: protocols Sections 1 and 2 Oxford Michaelmas Term 2008

2 Outline Basic ideas of authentication Challenge-Response Attacks What did we learn?

3 Outline Basic ideas of authentication What is the problem of authentication? Tools of authentication Challenge-Response Problem of authentication Tools Attacks What did we learn?

4 Recall from Lecture 1 Information security secrecy: "bad information flows don t happen" authenticity: "good information flows do happen" Problem of authentication Tools In network computation all information flow constraints are security properties

5 Recall terminology Information security confidentiality: "bad information flows don t... " integrity: "good information flows do... " Problem of authentication Tools Although not synonymous secrecy, confidentiality and privacy authenticity and integrity are often used interchanteably

6 Recall from Part 3 It is easy to generate a shared secret A νx B Problem of authentication Tools A to B:g x νy B to A:g y k AB =(g y ) x k AB =(g x ) y

7 Recall from Part 3 It is hard to know who is it shared with A M B νx A to B:g x Problem of authentication Tools B to A:gỹ ν x A to B:g x νỹ B to A:g y νy k AB =g xỹ g xỹ g xy AB k =g xy

8 Problem of authentication Problem of authentication Tools

9 Problem of authentication Problem of authentication Tools "There is no logical impossibility in the hypothesis that the world sprang into being five minutes ago, exactly as it then was, with a population that remembered a wholly unreal past." Bertrand Russell, The Analysis of Mind

10 Logics of authentication Derive global facts from local observations Problem of authentication Tools René Descartes: "I think, therefore I exist."

11 Tools of authentication You authenticate yourself by leveraging over: Problem of authentication Tools what you know: secrets, digital keys what you have: tokens, smart cards, physical keys what you are: biometric properties, handwriting

12 Tools of authentication You authenticate yourself by leveraging over: Problem of authentication Tools what you know: secrets, digital keys can be copied and given away what you have: tokens, smart cards, physical keys can be given away, but not copied what you are: biometric properties, handwriting cannot be given away, or copied

13 Tools of authentication In cyberspace 1 there are only messages... Problem of authentication you have no biometric properties no smart cards Tools you only know your secrets 1 space with no distance, inhabitants with no body, "Satan s computer"

14 Tools of authentication In cyberspace 1 there are only messages... Problem of authentication you have no biometric properties no smart cards Tools you only know your secrets... authentication is just responding to challenges you must prove that you know your secrets without disclosing all of them 1 space with no distance, inhabitants with no body, "Satan s computer"

15 Tools of authentication In cyberspace 1 there are only messages... Problem of authentication you have no biometric properties no smart cards Tools you only know your secrets... authentication is just responding to challenges you must prove that you know your secrets without disclosing all of them Everyone who knows all your secrets is you. 1 space with no distance, inhabitants with no body, "Satan s computer"

16 Outline Basic ideas of authentication Challenge-Response Challenge-Response protocols Basic implementations of CR Mutual authentication Server Example: protocol

17 First authentication protocol

18 First authentication protocol

19 First authentication protocol

20 The Challenge-Response Protocol Pattern A νx c AB x B r AB x

21 The Challenge-Response Protocol Pattern A νx B c AB x (r AB x)

22 The Challenge-Response Protocol Pattern A νx B c AB x ((c AB x)) (r AB x) r AB x

23 The Challenge-Response Protocol Pattern A νx B c AB x ((c AB x)) (r AB x) r AB x A : (νx) A c AB x A (r AB x) A ) = ((νx) A c AB x A ((c AB x)) B r AB x B (r AB x) A (cr)

24 The Challenge-Response Protocol Pattern Notation νx generate fresh nonce (into) x

25 The Challenge-Response Protocol Pattern Notation νx generate fresh nonce (into) x t send a message t t send a message containing t

26 The Challenge-Response Protocol Pattern Notation νx generate fresh nonce (into) x t send a message t t send a message containing t (t) receive a message (into) t ((t)) receive a message containing t

27 The Challenge-Response Protocol Pattern Notation νx generate fresh nonce (into) x t send a message t t send a message containing t (t) receive a message (into) t ((t)) receive a message containing t a Alice the action a is performed by Alice t Alice is the originator of t Alice

28 The Challenge-Response Protocol Pattern Remark For simplicity, we are glossing over some subtle details. E.g., Alice is often not capable to produce the term r AB x. How does she verify that she has received a valid response to her challenge?

29 The Challenge-Response Protocol Pattern Remark For simplicity, we are glossing over some subtle details. E.g., Alice is often not capable to produce the term r AB x. How does she verify that she has received a valid response to her challenge? She is given a verification algorithm V AB V AB (y, x) y = r AB x

30 The Challenge-Response Protocol Pattern Remark For simplicity, we are glossing over some subtle details. E.g., Alice is often not capable to produce the term r AB x. How does she verify that she has received a valid response to her challenge? She is given a verification algorithm V AB V AB (y, x) y = r AB x We shall soon see an instance of this.

31 Origination axiom A ((t))

32 Origination axiom A X t ((t))

33 Origination axiom A X t ((t)) A : ((t)) A = X. t X ((t)) A (rcv)

34 Freshness axiom A νx B a(x)

35 Freshness axiom A νx B A a(x)

36 Freshness axiom A νx x B A ((x)) a(x)

37 Freshness axiom A νx x B A ((x)) a(x) ( ((νx)a ) (νx) A x FV(a B ) = a B A B = ( (νx) A x A ((x)) B a B ) ) (new)

38 Challenge-Response with Signature (CRS 0 ) = (CR) [ c AB x = x, r AB x = S B x ] A νx x B V B (y,x) S B x y S B t = S B u = t = u (sig1) S B t X = X = B (sig2) V B (y, t) y = S B t (sig3)

39 Challenge-Response with Signature (CRS 0 ) = (CR) [ c AB x = x, r AB x = S B x ] Proposition (CRS) is an implementation of (CR), for A B.

40 Challenge-Response with Signature (CRS 0 ) = (CR) [ c AB x = x, r AB x = S B x ] Proposition (CRS) is an implementation of (CR), for A B. More precisely, if axioms (rcv) and (new) are satisfied, then (sig1) (sig2) (sig3) = (cr)[c AB x=x, r AB x=s B x] whenever A B.

41 Proof Suppose that Alice sees A νx x (y V B (y,x))

42 Proof Suppose that Alice sees A νx x (y V B (y,x)) where ( y V B (y, x) ) means that y passes the test V B (y, x).

43 Proof (continued) Since (sig3) tells V B (y, x) y = S B x, we have A νx x (S B x)

44 Proof (continued) By (rcv), everything that is received must have been sent. A νx Y x (S B x) S B x

45 Proof (continued)... and by (sig2), S B t Y = Y = B. A νx B x (S B x) S B x

46 Proof (continued) Since (sig1) implies x FV S B x, (new) implies A νx B x (S B x) S B x

47 Proof (completed)... and finally A B and the second part of (new) yield A νx B x ((x)) (S B x) S B x

48 Simple signature system Definition Given the types M of plaintexts S of signatures K of keys

49 Simple signature system Definition... a simple signature system is a triple of algorithms: key generation K S, K V :K K signing S :K M S, and verification V :K S M {0, 1}

50 Simple signature system Definition... that together provide signature verification: V(K V, s, m) s = S(K S, m) unforgeability: ( m. V(KV, A(m), m) ) = A(m) = S(K S, m) for all feasible attackers A :M S

51 Example of a simple signature system: RSA M =C=Z n, where n = pq, p, q prime K =Z ϕ(n) K S = d private key K V = d 1 modϕ(n) public key S(d, m) = m d mod n V(e, s, m) s e = m mod n

52 Probabilistic signature systems Remark While the signature verification condition defines the basic functionality of the signatures, the unforgeability condition is a logical approximation of the desired security.

53 Probabilistic signature systems Remark While the signature verification condition defines the basic functionality of the signatures, the unforgeability condition is a logical approximation of the desired security. Going beyond the simple signature systems, we refine the unforgeability condition to various probabilistic versions

54 Probabilistic signature systems Remark While the signature verification condition defines the basic functionality of the signatures, the unforgeability condition is a logical approximation of the desired security. Going beyond the simple signature systems, we refine the unforgeability condition to various probabilistic versions just like the trapdoor encryption condition on crypto systems was refined to the various notions of secrecy.

55 Example of a probabilistic signature system: El Gamal Fix a finite fieldfand g F. M =F S =F F K V (a) = g a K S (a) = a K =F F S(r, k, m) = g r, (m k g r ) r 1 R=F V(k, c 1, c 2,m) ( k c1 c c 2 1 = gm)

56 Example of a probabilistic signature system: El Gamal Fix a finite fieldfand g F. M =F S =F F K V (a) = g a K S (a) = a K =F F S(r, k, m) = g r, (m k g r ) r 1 R=F V(k, c 1, c 2,m) ( k c1 c c 2 1 = gm) Signature verification V(K V (a), S(r, K S (a), m), m) V(g a, S(r, a, m), m) V ( g a, g r, (m ag r )r 1, m ) ( g agr g r(m agr )r 1 = g m)

57 Signature systems Homework Prove that the RSA system satisfies the signature verification and the unforgeability conditions. Which assumptions do you need? Prove that the El Gamal system satisfies the signature verification condition. What is the role of the random seeds r Rin unforgeability?

58 CR with Public Key Encryption (CRE) = (CR) [ c AB x = E B (A.x), r AB x = x ] A νx E B (A.x) B x A : (νx) A E B t(x) A x X = X = A X = B (enc)

59 CR with Shared Key at the Input (CRKI) = (CR) [ c AB x = K AB (A.x), r AB x = x ] A νx K AB (A.x) B x K AB t = K AB u = t = u (hk1) K AB t X = X = A X = B (hk2) K AB = K BA (hk3)

60 CR with Shared Key at the Output (CRKO) = (CR) [ c AB x = x, r AB x = K AB (A.x) ] A νx x B K AB (A.x) K AB t = K AB u = t = u (hk1) K AB t X = X = A X = B (hk2) K AB = K BA (hk3)

61 Basic CR-implementations CR CRP CRK CRE CRS CRKI CRKO

62 Basic CR-implementations CR CRP CRK CRE CRS CRKI CRKO (The difference between (CRS) and (CRS 0 ) is discussed later.)

63 Mutual authentication To establish a session, Alice and Bob authenticate each other A B A B νx x S B x y νy S A y

64 Mutual authentication: (CRS 0 -seq)... and Bob responds eagerly... A B νx x y,s B x νy S A y

65 Mutual authentication: (CRS 0 -seq) 2... binding the two authentications together... A B νx x y,s B (x.y) νy S A (x.y) 2 This protocol is better known as (ISO ).

66 Mutual authentication: (CRS 0 -nest)... or Bob may respond lazily... A B A B νx x y νy S A y S B x

67 Mutual authentication: (CRS 0 -nest)... first authenticates Alice... A B νx x y S A y νy S B x

68 Mutual authentication: (CRS 0 -nest)... but the two authentications still need to be bound together. A B νx x y S A (x.y) νy S B (x.y)

69 Formalizing mutual authentication conversation records We say that a protocol realizes mutual authentication if each of the participants can prove all participants send and receive actions

70 Formalizing mutual authentication conversation records We say that a protocol realizes mutual authentication if each of the participants can prove all participants send and receive actions except the last send-receive pair

71 Formalizing mutual authentication conversation records We say that a protocol realizes mutual authentication if each of the participants can prove all participants send and receive actions except the last send-receive pair and all principals views of the content of the messages sent and received, and the ordering in which they were sent and received coincide (i.e. match).

72 Formalizing mutual authentication Remark Suppose that Alice s and Bob s views of their conversation match. This implies that their view of their conversation is true, because Alice s view of what she said is true, and Bob s view of what he said is true, and therefore if Alice s view of what Bob said matches Bob s view of Bob said, then Alice s view of what Bob said is true. Ditto for Bob.

73 conversations in (CRS 0 -nest) Proposition Protocol (CRS 0 -nest) realizes mutual authentication

74 conversations in (CRS 0 -nest) Proposition Protocol (CRS 0 -nest) realizes mutual authentication, provided that both principals are honest.

75 conversations in (CRS 0 -nest) Proposition Protocol (CRS 0 -nest) realizes mutual authentication, provided that both principals are honest. Formal notion of honesty We say that a principal in a protocol is honest within a protocol if she acts according to the protocol.

76 conversations in (CRS 0 -nest) Proposition Protocol (CRS 0 -nest) realizes mutual authentication, provided that both principals are honest. Formal notion of honesty We say that a principal in a protocol is honest within a protocol if she acts according to the protocol. This means that she only performs her actions in the prescribed order, and with the prescribed data.

77 conversations in (CRS 0 -nest): Alice Initially, Alice only sees her own actions: A νx B x (u) S A (x.u) (S B (x.u))

78 conversations in (CRS 0 -nest): Alice By (cr) [ c AB = id, r AB = S B] (proved earlier) A νx B x (u) ((x)) S A (x.u) (S B (x.u)) S B (x.u)

79 conversations in (CRS 0 -nest): Alice But Bob is honest, so he only sends S B (x.y) for a fresh y A B νx x (u) νy y B honest (x) S A (x.u) (S B (x.u)) (sig1) (u=y) (S A (x.y)) S B (x.y)

80 conversations in (CRS 0 -nest): Alice By (rcv), someone must have sent u A νx B x (u) (rcv) u Y νy y B honest (x) S A (x.u) (S B (x.u)) (sig1) (u=y) (S A (x.y)) S B (x.y)

81 conversations in (CRS 0 -nest): Alice Finally, using u = y, derived before, Alice concludes A B νx x νy (x) (u) (rcv) u Y (u=y) (new) y B honest S A (x.u) (S B (x.u)) (u=y) (sig1) (u=y) (S A (x.y)) S B (x.y)

82 conversations in (CRS 0 -nest): Alice Alice has derived the ordering of her and Bob s actions: A νx B x (u) u Y νy y (x) S A (x.u) (S B (x.u)) (S A (x.y)) S B (x.y)

83 conversations in (CRS 0 -nest): Bob Initially, Bob only sees his own actions: A B (v) νy y (S A (v.y)) S B (v.y)

84 conversations in (CRS 0 -nest): Bob By the (cr)-axiom, he concludes that Alice must be on-line. A B (v) νy ((y)) y S A (v.y) (S A (v.y)) S B (v.y)

85 conversations in (CRS 0 -nest): Bob Since she is honest, she acted according to the protocol: A νx B x A honest A honest (v) νy (y) ((y)) y A honest S A (x.y) S A (v.y) (sig1) (x=v) (S A (v.y)) S B (v.y)

86 conversations in (CRS 0 -nest): Bob By (rcv), someone must have sent the first message. A νx B A honest x v X (rcv) (v) A honest νy (y) ((y)) y A honest S A (x.y) S A (v.y) (sig1) (x=v) (S A (v.y)) S B (v.y)

87 conversations in (CRS 0 -nest): Bob By (sig1) and (new), that must have been Alice. A νx B A honest x (x=v) (new) v X (rcv) (v) A honest νy (y) ((y)) y A honest S A (x.y) S A (v.y) (sig1) (x=v) (S A (v.y)) S B (v.y)

88 conversations in (CRS 0 -nest): Bob Bob has derived the total order of his and Alice s actions. A νx B x v X (v) νy (y) ((y)) y S A (x.y) S A (v.y) (S A (v.y)) S B (v.y)

89 conversations in (CRS 0 -nest) Both Alice and Bob have thus recorded the following conversation (νx) A < x A < (x) B < (νy) B < y B < (y) A < S A (x.y) A <( S A (x.y) ) B < S B (x.y) B Their records match, and the mutual authentication is achieved.

90 Mutual authentication by (CRE) Homework Compose two instances of the (CRE) protocol, to build a protocol (CRE-seq) for mutual authentication. Analyze the difference between (CRE-seq) and the (NSPK) protocol, introduced in Sec. 5 of Part 3? Is (CRE-seq) vulnerable to the same attack as (NSPK)?

91 Mutual authentication by (CRK)? The main shortcoming of both (CRKO) and (CRKI) protocols is that Alice and Bob are required to share a secret k AB to run these protocols.

92 Mutual authentication by (CRK)? The main shortcoming of both (CRKO) and (CRKI) protocols is that Alice and Bob are required to share a secret k AB to run these protocols. This defeats the purpose of authentication, because generating a shared secret k AB is usually the whole point.

93 Server An Server S shares a symmetric key k BS with every principal B.

94 Server An Server S shares a symmetric key k BS with every principal B. service proceeds as follows A authenticates S, using K AS m = E(k AS, m) S authenticates B using K BS m = E(k BS, m) if S is honest, then A thus authenticates B.

95 services CRKI A B νx K AB (A.x) x

96 services CRKII A S B νx K AS (B.x) K BS (A.x) x

97 services CRKIO A S B νx K AS (B.x) ) K (A.K BS AS (B.x) x

98 services CRKO A νx B x K AB (A.x)

99 services CRKOI A S B νx x ) K (A.K BS AS (B.x) K AS (B.x)

100 services CRKOO A S B νx x K BS (A.x) K AS (B.x)

101 Towards the protocol Component 1: CRKOO A S B νx x K BS (A.x) K AS (B.x)

102 Towards the protocol Component 2: CRKII A S B K BS (A.y) νy K AS (B.y) y

103 Towards the protocol Step 3: Composition A S B νx x νy K BS (A.x),K BS (A.y) K AS (B.x),K AS (B.y) y

104 Towards the protocol Step 4: Binding A S B νx x νy K BS (A.x.y) K AS (B.x.y) y

105 Towards the protocol Step 5: Key distribution A S B νx x νy K BS (A.x.y) K AS (B.z.x.y), K BS (A.z) u, v νz y,v

106 protocol Step 5: Key confirmation A S B νx x νy K BS (A.x.y) K AS (B.z.x.y), K BS (A.z) u, v νz K AB (y),v K AB (m)=e(z,m)

107 Outline Basic ideas of authentication Challenge-Response Attacks What did we learn?

108 Outline Basic ideas of authentication Challenge-Response Attacks What did we learn?

Principles of Security Part 4: Authentication protocols Sections 3 and 4

Principles of Security Part 4: Authentication protocols Sections 3 and 4 Principles of Security Part 4: protocols Sections 3 and 4 Oxford Michaelmas Term 2008 Outline asic ideas of authentication Challenge-Response ttacks What did we learn? Outline asic ideas of authentication

More information

Key Establishment and Authentication Protocols EECE 412

Key Establishment and Authentication Protocols EECE 412 Key Establishment and Authentication Protocols EECE 412 1 where we are Protection Authorization Accountability Availability Access Control Data Protection Audit Non- Repudiation Authentication Cryptography

More information

CS 161 Computer Security

CS 161 Computer Security Popa & Wagner Spring 2016 CS 161 Computer Security Discussion 5 Week of February 19, 2017 Question 1 Diffie Hellman key exchange (15 min) Recall that in a Diffie-Hellman key exchange, there are values

More information

Introduction to Cryptography Lecture 7

Introduction to Cryptography Lecture 7 Introduction to Cryptography Lecture 7 El Gamal Encryption RSA Encryption Benny Pinkas page 1 1 Public key encryption Alice publishes a public key PK Alice. Alice has a secret key SK Alice. Anyone knowing

More information

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7 Public-Key Cryptography Professor Yanmin Gong Week 3: Sep. 7 Outline Key exchange and Diffie-Hellman protocol Mathematical backgrounds for modular arithmetic RSA Digital Signatures Key management Problem:

More information

Spring 2010: CS419 Computer Security

Spring 2010: CS419 Computer Security Spring 2010: CS419 Computer Security Vinod Ganapathy Lecture 7 Topic: Key exchange protocols Material: Class handout (lecture7_handout.pdf) Chapter 2 in Anderson's book. Today s agenda Key exchange basics

More information

ECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

ECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos ECE596C: Handout #9 Authentication Using Shared Secrets Electrical and Computer Engineering, University of Arizona, Loukas Lazos Abstract. In this lecture we introduce the concept of authentication and

More information

Module: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

Module: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security CMPSC443 - Introduction to Computer and Network Security Module: Cryptographic Protocols Professor Patrick McDaniel Spring 2009 1 Key Distribution/Agreement Key Distribution is the process where we assign

More information

BAN Logic. Logic of Authentication 1. BAN Logic. Source. The language of BAN. The language of BAN. Protocol 1 (Needham-Schroeder Shared-Key) [NS78]

BAN Logic. Logic of Authentication 1. BAN Logic. Source. The language of BAN. The language of BAN. Protocol 1 (Needham-Schroeder Shared-Key) [NS78] Logic of Authentication 1. BAN Logic Ravi Sandhu BAN Logic BAN is a logic of belief. In an analysis, the protocol is first idealized into messages containing assertions, then assumptions are stated, and

More information

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature Key Management Digital signatures: classical and public key Classic and Public Key exchange 1 Handwritten Signature Used everyday in a letter, on a check, sign a contract A signature on a signed paper

More information

Computer Networks & Security 2016/2017

Computer Networks & Security 2016/2017 Computer Networks & Security 2016/2017 Network Security Protocols (10) Dr. Tanir Ozcelebi Courtesy: Jerry den Hartog Courtesy: Kurose and Ross TU/e Computer Science Security and Embedded Networked Systems

More information

Chapter 9: Key Management

Chapter 9: Key Management Chapter 9: Key Management Session and Interchange Keys Key Exchange Cryptographic Key Infrastructure Storing and Revoking Keys Digital Signatures Slide #9-1 Overview Key exchange Session vs. interchange

More information

Diffie-Hellman. Part 1 Cryptography 136

Diffie-Hellman. Part 1 Cryptography 136 Diffie-Hellman Part 1 Cryptography 136 Diffie-Hellman Invented by Williamson (GCHQ) and, independently, by D and H (Stanford) A key exchange algorithm o Used to establish a shared symmetric key Not for

More information

Cryptographic Protocols 1

Cryptographic Protocols 1 Cryptographic Protocols 1 Luke Anderson luke@lukeanderson.com.au 5 th May 2017 University Of Sydney Overview 1. Crypto-Bulletin 2. Problem with Diffie-Hellman 2.1 Session Hijacking 2.2 Encrypted Key Exchange

More information

T Cryptography and Data Security

T Cryptography and Data Security T-79.4501 Cryptography and Data Security Lecture 10: 10.1 Random number generation 10.2 Key management - Distribution of symmetric keys - Management of public keys Stallings: Ch 7.4; 7.3; 10.1 1 The Use

More information

Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena

Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall 2009 Nitesh Saxena *Adopted from a previous lecture by Gene Tsudik Course Admin HW3 Problem 3 due Friday midnight

More information

1 A Tale of Two Lovers

1 A Tale of Two Lovers CS 120/ E-177: Introduction to Cryptography Salil Vadhan and Alon Rosen Dec. 12, 2006 Lecture Notes 19 (expanded): Secure Two-Party Computation Recommended Reading. Goldreich Volume II 7.2.2, 7.3.2, 7.3.3.

More information

Ideal Security Protocol. Identify Friend or Foe (IFF) MIG in the Middle 4/2/2012

Ideal Security Protocol. Identify Friend or Foe (IFF) MIG in the Middle 4/2/2012 Ideal Security Protocol Satisfies security requirements Requirements must be precise Efficient Small computational requirement Small bandwidth usage, network delays Not fragile Works when attacker tries

More information

Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy Homework 2 Due: Friday, 10/28/2016 at 11:55pm PT Will be posted on

More information

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography CSCI 454/554 Computer and Network Security Topic 5.2 Public Key Cryptography Outline 1. Introduction 2. RSA 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard 2 Introduction Public Key Cryptography

More information

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA CSCI 454/554 Computer and Network Security Topic 5.2 Public Key Cryptography 1. Introduction 2. RSA Outline 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard 2 Introduction Public Key Cryptography

More information

Secure Multiparty Computation

Secure Multiparty Computation CS573 Data Privacy and Security Secure Multiparty Computation Problem and security definitions Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation

More information

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1 ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters

More information

Security protocols and their verification. Mark Ryan University of Birmingham

Security protocols and their verification. Mark Ryan University of Birmingham Security protocols and their verification Mark Ryan University of Birmingham Contents 1. Authentication protocols (this lecture) 2. Electronic voting protocols 3. Fair exchange protocols 4. Digital cash

More information

Chapter 9 Public Key Cryptography. WANG YANG

Chapter 9 Public Key Cryptography. WANG YANG Chapter 9 Public Key Cryptography WANG YANG wyang@njnet.edu.cn Content Introduction RSA Diffie-Hellman Key Exchange Introduction Public Key Cryptography plaintext encryption ciphertext decryption plaintext

More information

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d) Outline AIT 682: Network and Systems Security 1. Introduction 2. RSA 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard Topic 5.2 Public Key Cryptography Instructor: Dr. Kun Sun 2 Public Key

More information

(More) cryptographic protocols

(More) cryptographic protocols (More) cryptographic protocols Myrto Arapinis School of Informatics University of Edinburgh October 19, 2017 1/24 Authentication and key agreement protocols 2/24 Authentication and key agreement Long-term

More information

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh Protocols II Computer Security Lecture 12 David Aspinall School of Informatics University of Edinburgh 17th February 2011 Outline Introduction Shared-key Authentication Asymmetric authentication protocols

More information

CPSC 467: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 4, 2017 CPSC 467, Lecture 11 1/39 ElGamal Cryptosystem Message Integrity and Authenticity Message authentication codes

More information

CS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong

CS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong CS573 Data Privacy and Security Cryptographic Primitives and Secure Multiparty Computation Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation

More information

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1 ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters

More information

CS 161 Computer Security

CS 161 Computer Security Paxson Spring 2013 CS 161 Computer Security 3/14 Asymmetric cryptography Previously we saw symmetric-key cryptography, where Alice and Bob share a secret key K. However, symmetric-key cryptography can

More information

CS 395T. Formal Model for Secure Key Exchange

CS 395T. Formal Model for Secure Key Exchange CS 395T Formal Model for Secure Key Exchange Main Idea: Compositionality Protocols don t run in a vacuum Security protocols are typically used as building blocks in a larger secure system For example,

More information

Cryptography III Want to make a billion dollars? Just factor this one number!

Cryptography III Want to make a billion dollars? Just factor this one number! Cryptography III Want to make a billion dollars? Just factor this one number! 3082010a0282010100a3d56cf0bf8418d66f400be31c3f22036ca9f5cf01ef614de2eb9a1cd74a0c344b5a20d5f80df9a23c89 10c354821aa693432a61bd265ca70f309d56535a679d68d7ab89f9d32c47c1182e8a14203c050afd5f1831e5550e8700e008f2

More information

Other Topics in Cryptography. Truong Tuan Anh

Other Topics in Cryptography. Truong Tuan Anh Other Topics in Cryptography Truong Tuan Anh 2 Outline Public-key cryptosystem Cryptographic hash functions Signature schemes Public-Key Cryptography Truong Tuan Anh CSE-HCMUT 4 Outline Public-key cryptosystem

More information

Proofs for Key Establishment Protocols

Proofs for Key Establishment Protocols Information Security Institute Queensland University of Technology December 2007 Outline Key Establishment 1 Key Establishment 2 3 4 Purpose of key establishment Two or more networked parties wish to establish

More information

Real-time protocol. Chapter 16: Real-Time Communication Security

Real-time protocol. Chapter 16: Real-Time Communication Security Chapter 16: Real-Time Communication Security Mohammad Almalag Dept. of Computer Science Old Dominion University Spring 2013 1 Real-time protocol Parties negotiate interactively (Mutual) Authentication

More information

CS 494/594 Computer and Network Security

CS 494/594 Computer and Network Security CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Real-Time Communication Security Network layers

More information

Kurose & Ross, Chapters (5 th ed.)

Kurose & Ross, Chapters (5 th ed.) Kurose & Ross, Chapters 8.2-8.3 (5 th ed.) Slides adapted from: J. Kurose & K. Ross \ Computer Networking: A Top Down Approach (5 th ed.) Addison-Wesley, April 2009. Copyright 1996-2010, J.F Kurose and

More information

CS Computer Networks 1: Authentication

CS Computer Networks 1: Authentication CS 3251- Computer Networks 1: Authentication Professor Patrick Traynor 4/14/11 Lecture 25 Announcements Homework 3 is due next class. Submit via T-Square or in person. Project 3 has been graded. Scores

More information

Auth. Key Exchange. Dan Boneh

Auth. Key Exchange. Dan Boneh Auth. Key Exchange Review: key exchange Alice and want to generate a secret key Saw key exchange secure against eavesdropping Alice k eavesdropper?? k This lecture: Authenticated Key Exchange (AKE) key

More information

Encryption. INST 346, Section 0201 April 3, 2018

Encryption. INST 346, Section 0201 April 3, 2018 Encryption INST 346, Section 0201 April 3, 2018 Goals for Today Symmetric Key Encryption Public Key Encryption Certificate Authorities Secure Sockets Layer Simple encryption scheme substitution cipher:

More information

Crypto-systems all around us ATM machines Remote logins using SSH Web browsers (https invokes Secure Socket Layer (SSL))

Crypto-systems all around us ATM machines Remote logins using SSH Web browsers (https invokes Secure Socket Layer (SSL)) Introduction (Mihir Bellare Text/Notes: http://cseweb.ucsd.edu/users/mihir/cse207/) Cryptography provides: Data Privacy Data Integrity and Authenticity Crypto-systems all around us ATM machines Remote

More information

Chapter 9. Public Key Cryptography, RSA And Key Management

Chapter 9. Public Key Cryptography, RSA And Key Management Chapter 9 Public Key Cryptography, RSA And Key Management RSA by Rivest, Shamir & Adleman of MIT in 1977 The most widely used public-key cryptosystem is RSA. The difficulty of attacking RSA is based on

More information

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification Hossen Asiful Mustafa Introduction Entity Authentication is a technique designed to let one party prove the identity of another

More information

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy Homework 3 Due: Monday, 11/28/2016 at 11:55pm PT Solution: Will be posted

More information

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography CS555 Spring 2012/Topic 16 1 Outline and Readings Outline Private key management between two parties Key management

More information

ח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms

ח'/סיון/תשע א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms Public Key Cryptography Kurose & Ross, Chapters 8.28.3 (5 th ed.) Slides adapted from: J. Kurose & K. Ross \ Computer Networking: A Top Down Approach (5 th ed.) AddisonWesley, April 2009. Copyright 19962010,

More information

Logic of Authentication

Logic of Authentication Logic of Authentication Dennis Kafura Derived from materials authored by: Burrows, Abadi, Needham 1 Goals and Scope Goals develop a formalism to reason about authentication protocols uses determine guarantees

More information

Other Uses of Cryptography. Cryptography Goals. Basic Problem and Terminology. Other Uses of Cryptography. What Can Go Wrong? Why Do We Need a Key?

Other Uses of Cryptography. Cryptography Goals. Basic Problem and Terminology. Other Uses of Cryptography. What Can Go Wrong? Why Do We Need a Key? ryptography Goals Protect private communication in the public world and are shouting messages over a crowded room no one can understand what they are saying 1 Other Uses of ryptography Authentication should

More information

Security protocols. Correctness of protocols. Correctness of protocols. II. Logical representation and analysis of protocols.i

Security protocols. Correctness of protocols. Correctness of protocols. II. Logical representation and analysis of protocols.i Security protocols Logical representation and analysis of protocols.i A security protocol is a set of rules, adhered to by the communication parties in order to ensure achieving various security or privacy

More information

CS 395T. Analyzing SET with Inductive Method

CS 395T. Analyzing SET with Inductive Method CS 395T Analyzing SET with Inductive Method Theorem Proving for Protocol Analysis Prove correctness instead of looking for bugs Use higher-order logic to reason about all possible protocol executions No

More information

CS 161 Computer Security

CS 161 Computer Security Paxson Spring 2017 CS 161 Computer Security Discussion 6 Week of March 6, 2017 Question 1 Password Hashing (10 min) When storing a password p for user u, a website randomly generates a string s (called

More information

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy Homework 3 Due: Monday, 11/28/2016 at 11:55pm PT Solution: Will be posted

More information

Formal Methods for Assuring Security of Computer Networks

Formal Methods for Assuring Security of Computer Networks for Assuring of Computer Networks May 8, 2012 Outline Testing 1 Testing 2 Tools for formal methods Model based software development 3 Principals of security Key security properties Assessing security protocols

More information

CSC 474/574 Information Systems Security

CSC 474/574 Information Systems Security CSC 474/574 Information Systems Security Topic 2.5 Public Key Algorithms CSC 474/574 Dr. Peng Ning 1 Public Key Algorithms Public key algorithms covered in this class RSA: encryption and digital signature

More information

CIS 4360 Secure Computer Systems Applied Cryptography

CIS 4360 Secure Computer Systems Applied Cryptography CIS 4360 Secure Computer Systems Applied Cryptography Professor Qiang Zeng Spring 2017 Symmetric vs. Asymmetric Cryptography Symmetric cipher is much faster With asymmetric ciphers, you can post your Public

More information

A Derivation System for Security Protocols and its Logical Formalization

A Derivation System for Security Protocols and its Logical Formalization A Derivation System for Security Protocols and its Logical Formalization Anupam Datta Ante Derek John C. Mitchell Dusko Pavlovic Stanford University CSFW July 1, 2003 Kestrel Institute Contributions Protocol

More information

CS 161 Computer Security

CS 161 Computer Security Raluca Popa Spring 2018 CS 161 Computer Security Homework 2 Due: Wednesday, February 14, at 11:59pm Instructions. This homework is due Wednesday, February 14, at 11:59pm. No late homeworks will be accepted.

More information

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology Cryptography & Key Exchange Protocols Faculty of Computer Science & Engineering HCMC University of Technology Outline 1 Cryptography-related concepts 2 3 4 5 6 7 Key channel for symmetric cryptosystems

More information

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 38 A Tutorial on Network Protocols

More information

Outline More Security Protocols CS 239 Computer Security February 4, 2004

Outline More Security Protocols CS 239 Computer Security February 4, 2004 Outline More Security Protocols CS 239 Computer Security February 4, 2004 Combining key distribution and authentication Verifying security protocols Page 1 Page 2 Combined Key Distribution and Authentication

More information

CSE 127: Computer Security Cryptography. Kirill Levchenko

CSE 127: Computer Security Cryptography. Kirill Levchenko CSE 127: Computer Security Cryptography Kirill Levchenko October 24, 2017 Motivation Two parties want to communicate securely Secrecy: No one else can read messages Integrity: messages cannot be modified

More information

Outline More Security Protocols CS 239 Computer Security February 6, 2006

Outline More Security Protocols CS 239 Computer Security February 6, 2006 Outline More Security Protocols CS 239 Computer Security February 6, 2006 Combining key distribution and authentication Verifying security protocols Page 1 Page 2 Combined Key Distribution and Authentication

More information

Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls

Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls Overview Cryptography functions Secret key (e.g., DES) Public key (e.g., RSA) Message

More information

1 Identification protocols

1 Identification protocols ISA 562: Information Security, Theory and Practice Lecture 4 1 Identification protocols Now that we know how to authenticate messages using MACs, a natural question is, how can we use MACs to prove that

More information

Lecture 15: Public Key Encryption: I

Lecture 15: Public Key Encryption: I CSE 594 : Modern Cryptography 03/28/2017 Lecture 15: Public Key Encryption: I Instructor: Omkant Pandey Scribe: Arun Ramachandran, Parkavi Sundaresan 1 Setting In Public-key Encryption (PKE), key used

More information

Session key establishment protocols

Session key establishment protocols our task is to program a computer which gives answers which are subtly and maliciously wrong at the most inconvenient possible moment. -- Ross Anderson and Roger Needham, Programming Satan s computer Session

More information

CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong, Spring and 6 February 2018

CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong, Spring and 6 February 2018 CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong, Spring 2018 5 and 6 February 2018 Identification schemes are mechanisms for Alice to prove her identity to Bob They comprise a setup

More information

Fall 2005 Joseph/Tygar/Vazirani/Wagner Final

Fall 2005 Joseph/Tygar/Vazirani/Wagner Final CS 161 Computer Security Fall 2005 Joseph/Tygar/Vazirani/Wagner Final PRINT your name:, (last) SIGN your name: (first) PRINT your Unix account name: PRINT your TA s name: You may consult any books, notes,

More information

CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 7 January 30, 2012 CPSC 467b, Lecture 7 1/44 Public-key cryptography RSA Factoring Assumption Computing with Big Numbers Fast Exponentiation

More information

Session key establishment protocols

Session key establishment protocols our task is to program a computer which gives answers which are subtly and maliciously wrong at the most inconvenient possible moment. -- Ross Anderson and Roger Needham, Programming Satan s computer Session

More information

Lecture 8 - Message Authentication Codes

Lecture 8 - Message Authentication Codes Lecture 8 - Message Authentication Codes Benny Applebaum, Boaz Barak October 12, 2007 Data integrity Until now we ve only been interested in protecting secrecy of data. However, in many cases what we care

More information

Cryptography: More Primitives

Cryptography: More Primitives Design and Analysis of Algorithms May 8, 2015 Massachusetts Institute of Technology 6.046J/18.410J Profs. Erik Demaine, Srini Devadas and Nancy Lynch Recitation 11 Cryptography: More Primitives 1 Digital

More information

Authentication. Strong Password Protocol. IT352 Network Security Najwa AlGhamdi

Authentication. Strong Password Protocol. IT352 Network Security Najwa AlGhamdi Authentication Strong Password Protocol 1 Strong Password Protocol Scenario : Alice uses any workstation to log to the server B, using a password to authenticate her self. Various way to do that? Use Ur

More information

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018 Computer Security 08r. Pre-exam 2 Last-minute Review Cryptography Paul Krzyzanowski Rutgers University Spring 2018 March 26, 2018 CS 419 2018 Paul Krzyzanowski 1 Cryptographic Systems March 26, 2018 CS

More information

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1 Information Security message M one-way hash fingerprint f = H(M) 4/19/2006 Information Security 1 Outline and Reading Digital signatures Definition RSA signature and verification One-way hash functions

More information

A Derivation System for Security Protocols and its Logical Formalization

A Derivation System for Security Protocols and its Logical Formalization A Derivation System for Security Protocols and its Logical Formalization Anupam Datta Ante Derek John C. Mitchell Dusko Pavlovic Computer Science Dept. Kestrel Institute Stanford University Palo Alto,

More information

Winter 2018 CS134: Computer and Network Security Homework 2 Due: 02/26/18, 11:59pm

Winter 2018 CS134: Computer and Network Security Homework 2 Due: 02/26/18, 11:59pm Winter 2018 CS134: Computer and Network Security Homework 2 Due: 02/26/18, 11:59pm Full Name: UCI ID Number: Sources: Guidelines: Use any word processor. Write your Name, UCInetID and Student ID on each

More information

RSA. Public Key CryptoSystem

RSA. Public Key CryptoSystem RSA Public Key CryptoSystem DIFFIE AND HELLMAN (76) NEW DIRECTIONS IN CRYPTOGRAPHY Split the Bob s secret key K to two parts: K E, to be used for encrypting messages to Bob. K D, to be used for decrypting

More information

Digital Signatures. Public-Key Signatures. Arbitrated Signatures. Digital Signatures With Encryption. Terminology. Message Authentication Code (MAC)

Digital Signatures. Public-Key Signatures. Arbitrated Signatures. Digital Signatures With Encryption. Terminology. Message Authentication Code (MAC) Message Authentication Code (MAC) Key-dependent one-way hash function Only someone with a correct key can verify the hash value Easy way to turn one-way hash function into MAC is to encrypt hash value

More information

Information Security CS 526

Information Security CS 526 Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication Topic 14: Secure Communication 1 Readings for This Lecture On Wikipedia Needham-Schroeder protocol (only the symmetric

More information

Digital Signatures. KG November 3, Introduction 1. 2 Digital Signatures 2

Digital Signatures. KG November 3, Introduction 1. 2 Digital Signatures 2 Digital Signatures KG November 3, 2017 Contents 1 Introduction 1 2 Digital Signatures 2 3 Hash Functions 3 3.1 Attacks.................................... 4 3.2 Compression Functions............................

More information

Grenzen der Kryptographie

Grenzen der Kryptographie Microsoft Research Grenzen der Kryptographie Dieter Gollmann Microsoft Research 1 Summary Crypto does not solve security problems Crypto transforms security problems Typically, the new problems relate

More information

CS3235 Seventh set of lecture slides

CS3235 Seventh set of lecture slides CS3235 Seventh set of lecture slides Hugh Anderson National University of Singapore School of Computing October, 2007 Hugh Anderson CS3235 Seventh set of lecture slides 1 Warp 9... Outline 1 Public Key

More information

Lecture 10, Zero Knowledge Proofs, Secure Computation

Lecture 10, Zero Knowledge Proofs, Secure Computation CS 4501-6501 Topics in Cryptography 30 Mar 2018 Lecture 10, Zero Knowledge Proofs, Secure Computation Lecturer: Mahmoody Scribe: Bella Vice-Van Heyde, Derrick Blakely, Bobby Andris 1 Introduction Last

More information

18733: Applied Cryptography Anupam Datta (CMU) Basic key exchange. Dan Boneh

18733: Applied Cryptography Anupam Datta (CMU) Basic key exchange. Dan Boneh 18733: Applied Cryptography Anupam Datta (CMU) Basic key exchange Online Cryptography Course Basic key exchange Trusted 3 rd parties Key management Problem: n users. Storing mutual secret keys is difficult

More information

Introduction to Cryptography Lecture 7

Introduction to Cryptography Lecture 7 Introduction to Cryptography Lecture 7 Public-Key Encryption: El-Gamal, RSA Benny Pinkas page 1 1 Public key encryption Alice publishes a public key PK Alice. Alice has a secret key SK Alice. Anyone knowing

More information

Lecture 6.2: Protocols - Authentication and Key Exchange II. CS 436/636/736 Spring Nitesh Saxena. Course Admin

Lecture 6.2: Protocols - Authentication and Key Exchange II. CS 436/636/736 Spring Nitesh Saxena. Course Admin Lecture 6.2: Protocols - Authentication and Key II CS 436/636/736 Spring 2012 Nitesh Saxena Mid-Term Grading Course Admin Will be done over the break Scores will be posted online and graded exams distribute

More information

Applied Cryptography and Computer Security CSE 664 Spring 2017

Applied Cryptography and Computer Security CSE 664 Spring 2017 Applied Cryptography and Computer Security Lecture 18: Key Distribution and Agreement Department of Computer Science and Engineering University at Buffalo 1 Key Distribution Mechanisms Secret-key encryption

More information

Digital Signatures. Luke Anderson. 7 th April University Of Sydney.

Digital Signatures. Luke Anderson. 7 th April University Of Sydney. Digital Signatures Luke Anderson luke@lukeanderson.com.au 7 th April 2017 University Of Sydney Overview 1. Digital Signatures 1.1 Background 1.2 Basic Operation 1.3 Attack Models Replay Naïve RSA 2. PKCS#1

More information

Authentication and Key Distribution

Authentication and Key Distribution 1 Alice and Bob share a key How do they determine that they do? Challenge-response protocols 2 How do they establish the shared secret in the first place? Key distribution PKI, Kerberos, Other key distribution

More information

Computer Security Course. Public Key Crypto. Slides credit: Dan Boneh

Computer Security Course. Public Key Crypto. Slides credit: Dan Boneh Computer Security Course. Dawn Song Public Key Crypto Slides credit: Dan Boneh Administra>ve Issues Security is a fast- changing field We cover a broad spectrum of areas in computer security Hence, there

More information

CS 161 Computer Security

CS 161 Computer Security Popa & Wagner Spring 2016 CS 161 Computer Security Midterm 2 Print your name:, (last) (first) I am aware of the Berkeley Campus Code of Student Conduct and acknowledge that academic misconduct will be

More information

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell 1 Cryptography Merriam-Webster Online Dictionary: 1. secret writing 2. the enciphering and deciphering

More information

Cryptography V: Digital Signatures

Cryptography V: Digital Signatures Cryptography V: Digital Signatures Computer Security Lecture 10 David Aspinall School of Informatics University of Edinburgh 10th February 2011 Outline Basics Constructing signature schemes Security of

More information

PUBLIC KEY CRYPTO. Anwitaman DATTA SCSE, NTU Singapore CX4024. CRYPTOGRAPHY & NETWORK SECURITY 2018, Anwitaman DATTA

PUBLIC KEY CRYPTO. Anwitaman DATTA SCSE, NTU Singapore CX4024. CRYPTOGRAPHY & NETWORK SECURITY 2018, Anwitaman DATTA PUBLIC KEY CRYPTO Anwitaman DATTA SCSE, NTU Singapore Acknowledgement: The following lecture slides are based on, and uses material from the text book Cryptography and Network Security (various eds) by

More information

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken 0/41 Alice Who? Authentication Protocols Andreas Zeller/Stephan Neuhaus Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken The Menu 1/41 Simple Authentication Protocols The Menu 1/41 Simple

More information

Homework 1 CS161 Computer Security, Spring 2008 Assigned 2/4/08 Due 2/13/08

Homework 1 CS161 Computer Security, Spring 2008 Assigned 2/4/08 Due 2/13/08 Homework 1 CS161 Computer Security, Spring 2008 Assigned 2/4/08 Due 2/13/08 This homework assignment is due Wednesday, February 13 at the beginning of lecture. Please bring a hard copy to class; either

More information

SECURITY IN NETWORKS

SECURITY IN NETWORKS SECURITY IN NETWORKS GOALS Understand principles of network security: Cryptography and its many uses beyond con dentiality Authentication Message integrity WHAT IS NETWORK SECURITY? Con dentiality: only

More information