RFID Authentication: Security, Privacy and the Real World
|
|
- Charleen Kelley
- 6 years ago
- Views:
Transcription
1 RFID Authentication: Security, Privacy and the Real World ESC 2013 Jens Hermans KU Leuven - COSIC 15 January 2013
2 Introduction Cryptography in Daily Life RFID
3 Introduction Cryptography in Daily Life Security - Why?
4 Introduction Cryptography in Daily Life Privacy - Why? Das Kapital Insulin pump Underwear Membership implant Industrial espionage, user privacy
5 Introduction Cryptography in Daily Life Threat Analysis / Requirements Privacy + Security + Supply Chain Public Transport Car Keys Payments Access Control Passports
6 RFID Security & Privacy 1 RFID Security & Privacy Provable Security/Privacy Insider Attacks Requirements 2 Protocols (Research) 3 Protocols (Industry) 4 Protocol Design Lightweight Cryptography Design Performance 5 Conclusions and Future Perspectives
7 RFID Security & Privacy RFID Privacy: goals... ID = u , S =... ID =? { (ID=u , P=...),...}
8 RFID Security & Privacy RFID Privacy: goals #Tags? ID = u , S =... Link? ID = u , S =...
9 RFID Security & Privacy Different Privacy Solutions Protocol Level Privacy Kill Command Destroy Tag Shielding (Read Range Reduction)...
10 RFID Security & Privacy Provable Security/Privacy Protocol Analysis... Properties: ID = u , S =... Security Privacy: untraceability Allow corruption ID =? { (ID=u , P=...),...}
11 RFID Security & Privacy Provable Security/Privacy Provable Security & Privacy System Adversary Adversary wins if...
12 RFID Security & Privacy Provable Security/Privacy Corrupting Tags
13 RFID Security & Privacy Provable Security/Privacy Privacy Models - Indistinguishability Encryption: RO A B Privacy-models: Juels-Weis IND-CPA Vaudenay IND-CCA Hermans et al. IND-CCA2...
14 RFID Security & Privacy Provable Security/Privacy Privacy Levels Strong Forward Weak Narrow Wide at end at end
15 RFID Security & Privacy Provable Security/Privacy Privacy Requirements Privacy Level Application Narrow Weak Supply Chain Narrow Forward Smart Products Wide Weak Wide Forward Car Keys Payments Access Tokens Passports Public Transport
16 RFID Security & Privacy Insider Attacks Insider Attacks System Adversary Insider Tag
17 RFID Security & Privacy Requirements Privacy Requirements Privacy Level Application Narrow Weak Narrow Forward Wide Weak Supply Chain Smart Products Car Keys Payments Wide Forward + InsiderWide Forward + Insider Access Tokens Currently: Wide Strong Passports Public Transport
18 Protocols (Research) 1 RFID Security & Privacy Provable Security/Privacy Insider Attacks Requirements 2 Protocols (Research) 3 Protocols (Industry) 4 Protocol Design Lightweight Cryptography Design Performance 5 Conclusions and Future Perspectives
19 Protocols (Research) PRF (Block cipher) based [ISO/IEC ] State: x j Tag T Secrets: DB = {x j } Reader c c R {0,1} n p R {0,1} m r = F x (c p) r,p Search x j DB s.t.f xj (c p) = r Privacy Wide-Weak
20 Protocols (Research) Symmetric Key and Efficiency Damgård-Pedersen 08: Independent keys: inefficient O(n) Correlated keys: efficient O(log(n)) privacy loss Key Updating Higher Privacy Level (narrow forward) Desynchronization Attacks / Efficiency Problems Implementation cost?
21 Protocols (Research) EC Schnorr Protocol State: x j,y Tag T Secrets: y,db = {X j} Reader r R Z l R = rp R O? e e 0? s = x+er s Ẋ = sp er DB? Privacy None
22 Protocols (Research) Randomized Schnorr [BCI08] State: x j,y Tag T Secrets: y,db = {X j} Reader r 1,r 2 R Z l R 1 = r 1P,R 2 = r 2Y R 1,R 2 O? e s = ex+r 1 +r 2 s Ẋ = e 1 (sp R 1 y 1 R 2) DB Privacy Narrow Strong
23 Protocols (Research) Randomized Hash GPS [BCI09] State: x j,y Tag T Secrets: y,db = {X j} Reader r 1,r 2 R Z l R 1 = r 1P,R 2 = r 2Y z = H(R 1,R 2) R 1,R 2 O? e s = ex+r 1 +r 2 s,r 1,R 2 Verify z Ẋ = e 1 (sp R 1 y 1 R 2) DB Privacy Narrow Strong and Wide Forward
24 Protocols (Research) IND-CCA2 Encryption [Vau07] State: s j,id Tag T PK: K P. Secrets: DB = {s j } Reader c c R {0,1} n r = Enc KP (ID s j c) r ID s j c Dec KS (r) Search s j DB Privacy Wide Strong
25 Protocols (Research) Performance Protocol Privacy Ins. Ext. Snd. Operations Schnorr no no yes 1 EC mult Randomized Schnorr narrow-strong no yes 2 EC mult Rand. Hashed GPS narrow-strong no yes 2 EC mult wide-forward 1 hash Vaudenay wide-strong yes no 2 EC mult + DHIES 1 hash 1 MAC 1 symm enc Hash ElGamal wide-strong yes no 2 EC mult 1 hash 1 MAC
26 Protocols (Research) Lightweight Cryptography? Limits: Area ( ) Time Power Energy
27 Protocols (Research) Typical Ingredients for Protocols Primitive Status RNG OK? Key Update??? Block Cipher OK Hash Function OK ECC OK???
28 Protocols (Industry) 1 RFID Security & Privacy Provable Security/Privacy Insider Attacks Requirements 2 Protocols (Research) 3 Protocols (Industry) 4 Protocol Design Lightweight Cryptography Design Performance 5 Conclusions and Future Perspectives
29 Protocols (Industry) Scope ISO/IEC JTC 1 SC31: Automatic identification and data capture techniques Features: Tag authentication Reader authentication Mutual authentication Secure data exchange Target platform: passive & active tags.
30 Protocols (Industry) Proposals Tag Auth Reader Auth Mutual Auth Privacy Protocol Block cipher based (3) ( ) ( ) HB-2 ( ) Stream cipher based XOR ECC Static DH CryptoGPS ECDSA/DH TLS PK Encryption - Rabin
31 Protocol Design Design 1 RFID Security & Privacy Provable Security/Privacy Insider Attacks Requirements 2 Protocols (Research) 3 Protocols (Industry) 4 Protocol Design Lightweight Cryptography Design Performance 5 Conclusions and Future Perspectives
32 Protocol Design Design New Protocol [Peeters, Hermans 2012] Design protocol: Correct Extended soundness (At least) Wide Forward + Insider privacy Efficient
33 Protocol Design Design EC Schnorr Protocol State: x j,y Tag T Secrets: y,db = {X j } Reader r R Z l R = rp R O? e e 0? s = x+er s Ẋ = sp er DB?
34 Protocol Design Design Lightweight Elliptic Curve Cryptography P y Q x Implementation [LBSV10]: Area (14.5 kge) Time (85ms) Power (13.8 W) Energy (1.18 J) R
35 Protocol Design Design Key Assumptions Oracle Diffie-Hellman Assumption (A = ap,b = bp,abp) (A = ap,b = bp,rp) with extra O(Z) := xcoord(bz)p. X Logarithm xcoord(rp)p r P
36 Protocol Design Design New Protocol State: x,y = yp Tag T Secrets: y DB : {X i = x ip} Reader R r 1,r 2 R Z l R 1 = r 1P,R 2 = r 2P e e R Z l d = xcoord(xcoord(r 2Y)P) s = x+er 1 +d d = xcoord(xcoord(yr 2)P) Ẋ = (s d)p er 1 DB?
37 Protocol Design Design New Protocol - Extended Soundness State: x,y = yp Tag T Secrets: y DB : {X i = x ip} Reader R r 1,r 2 R Z l R 1 = r 1P,R 2 = r 2P e e R Z l d = xcoord(xcoord(r 2Y)P) s = x+er 1 +d d = xcoord(xcoord(yr 2)P) Ẋ = (s d)p er 1 DB? Extended Soundness Schnorr protocol extended soundness (OMDL assumption)
38 Protocol Design Design New Protocol - Privacy State: x,y = yp Tag T Secrets: y DB : {X i = x ip} Reader R r 1,r 2 R Z l R 1 = r 1P,R 2 = r 2P e e R Z l d = xcoord(xcoord(r 2Y)P) s = x+er 1 +d ḋ = xcoord(xcoord(yr 2)P) Ẋ = (s ḋ)p er1 DB?
39 Protocol Design Design Something symmetric? Final step: s = x +d +er 1 Assume set X = {x 0,...,x n } and set I = {ι 0,...,ι m }. 1 Adversary gets I 2 Set of oracles: { x α d i if b = 0 O 1(α,β) := x β d i if b = 1 O 2(s,i) := s d i X I O 3(s) := s X I 3 Adversary gets X, outputs guess g, d i R {0,1} l
40 Protocol Design Design Something for wide strong privacy? Assume set X = {x 0,...,x n } 1 Adversary gets X 2 Interact with oracles: { x αd i +e i if b = 0 O 1(α,β) := x β d i +e i if b = 1 O 2(s,i) := d 1 i (s e i ) X 3 Output guess g., d i,e i R Z l
41 Protocol Design Performance Performance Protocol Privacy Ins. Ext. Snd. Operations Schnorr no no yes 1 EC mult Randomized Schnorr narrow-strong no yes 2 EC mult Rand. Hashed GPS narrow-strong no yes 2 EC mult wide-forward 1 hash Vaudenay wide-strong yes no 2 EC mult + DHIES 1 hash 1 MAC 1 symm enc Hash ElGamal wide-strong yes no 2 EC mult 1 hash 1 MAC Our Protocol wide-forward-insider yes yes 4 EC mult - optimised version wide-forward-insider yes yes 2 EC mult Wide-Strong protocol wide-strong yes yes 4-5 EC mult
42 Conclusions and Future Perspectives Summary Overview RFID Privacy RFID Protocols Implementation Aspects New Private & Efficient RFID Protocol
43 Conclusions and Future Perspectives?
Wide Strong Private RFID Identification based on Zero-Knowledge
Wide Strong Private RFID Identification based on Zero-Knowledge Roel Peeters and Jens Hermans KU Leuven - ESAT/COSIC and iminds Kasteelpark Arenberg 10/2446, 3001 Leuven, BELGIUM firstname.lastname@esat.kuleuven.be
More informationStrong Privacy for RFID Systems from Plaintext-Aware Encryption
Strong Privacy for RFID Systems from Plaintext-Aware Encryption Khaled Ouafi and Serge Vaudenay ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE http://lasec.epfl.ch/ supported by the ECRYPT project SV strong
More informationWide-weak Privacy Preserving RFID Mutual Authentication Protocol
Wide-weak Privacy Preserving RFID Mutual Authentication Protocol Raghuvir Songhela Manik Lal Das DA-IICT, Gandhinagar, India. {songhela raghuvir, maniklal das}@daiict.ac.in Abstract Radio Frequency IDentification
More informationLightweight Privacy Preserving Authentication for RFID Using a Stream Cipher
Lightweight Privacy Preserving Authentication for RFID Using a Stream Cipher Olivier Billet, Jonathan Etrog, and Henri Gilbert Orange Labs RFID systems tags readers back end many types of systems system
More informationEncryption from the Diffie-Hellman assumption. Eike Kiltz
Encryption from the Diffie-Hellman assumption Eike Kiltz Elliptic curve public-key crypto Key-agreement Signatures Encryption Diffie-Hellman 76 passive security ElGamal 84 passive security Hybrid DH (ECDH)
More informationEfficient RFID authentication scheme for supply chain applications
University of Wollongong Research Online Faculty of Informatics - Papers (Archive) Faculty of Engineering and Information Sciences 2010 Efficient RFID authentication scheme for supply chain applications
More informationCSC 5930/9010 Modern Cryptography: Public Key Cryptography
CSC 5930/9010 Modern Cryptography: Public Key Cryptography Professor Henry Carter Fall 2018 Recap Number theory provides useful tools for manipulating integers and primes modulo a large value Abstract
More informationLightweight Cryptography for RFID Systems
Lightweight Cryptography for RFID Systems Guang Gong Department of Electrical and Computer Engineering University of Waterloo CANADA G. Gong (University of Waterloo)
More informationInsider attacks and privacy of RFID protocols
Insider attacks and privacy of RFID protocols Ton van Deursen and Saša Radomirović University of Luxembourg Abstract. We discuss insider attacks on RFID protocols with a focus on RFID tag privacy and demonstrate
More informationIND-CCA2 secure cryptosystems, Dan Bogdanov
MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov University of Tartu db@ut.ee 1 Overview Notion of indistinguishability The Cramer-Shoup cryptosystem Newer results
More informationALIKE: Authenticated Lightweight Key Exchange. Sandrine Agagliate, GEMALTO Security Labs
ALIKE: Authenticated Lightweight Key Exchange Sandrine Agagliate, GEMALTO Security Labs Outline: Context Description of ALIKE Generic description Full specification Security properties Chip Unforgeability
More informationRADIO Frequency Identification (RFID) technology [1], [2] enables wireless identification of objects
1 Destructive Privacy and Mutual Authentication in Vaudenay s RFID Model Cristian Hristea and Ferucio Laurenţiu Ţiplea Abstract With the large scale adoption of the Radio Frequency Identification (RFID)
More informationCSC 5930/9010 Modern Cryptography: Digital Signatures
CSC 5930/9010 Modern Cryptography: Digital Signatures Professor Henry Carter Fall 2018 Recap Implemented public key schemes in practice commonly encapsulate a symmetric key for the rest of encryption KEM/DEM
More informationSecurity of Biometric Passports ECE 646 Fall Team Members : Aniruddha Harish Divya Chinthalapuri Premdeep Varada
Security of Biometric Passports ECE 646 Fall 2013 Team Members : Aniruddha Harish Divya Chinthalapuri Premdeep Varada CONTENTS Introduction to epassports Infrastructure required for epassports Generations
More informationLecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena
Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall 2009 Nitesh Saxena *Adopted from a previous lecture by Gene Tsudik Course Admin HW3 Problem 3 due Friday midnight
More informationWAP Security. Helsinki University of Technology S Security of Communication Protocols
WAP Security Helsinki University of Technology S-38.153 Security of Communication Protocols Mikko.Kerava@iki.fi 15.4.2003 Contents 1. Introduction to WAP 2. Wireless Transport Layer Security 3. Other WAP
More informationA CCA2 Secure PKE Based on McEliece Assumptions in the Standard Model
A CCA2 Secure PKE Based on McEliece Assumptions in the Standard Model Jörn Müller-Quade European Institute for System Security KIT, Karlsruhe, Germany 04/23/09 Session ID: CRYP301 Session Classification:
More informationSymmetric Encryption 2: Integrity
http://wwmsite.wpengine.com/wp-content/uploads/2011/12/integrity-lion-300x222.jpg Symmetric Encryption 2: Integrity With material from Dave Levin, Jon Katz, David Brumley 1 Summing up (so far) Computational
More informationLow-Cost Untraceable Authentication Protocols for RFID
Low-Cost Untraceable Authentication Protocols for RFID [Extended and corrected version] ABSTRACT Yong Ki Lee EE EmSec University of California Los Angeles, CA, USA yklee93@kg21.net Dave Singelée IBBT COSIC
More informationCryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1
Cryptography CS 555 Topic 11: Encryption Modes and CCA Security CS555 Spring 2012/Topic 11 1 Outline and Readings Outline Encryption modes CCA security Readings: Katz and Lindell: 3.6.4, 3.7 CS555 Spring
More informationCryptographic Concepts
Outline Identify the different types of cryptography Learn about current cryptographic methods Chapter #23: Cryptography Understand how cryptography is applied for security Given a scenario, utilize general
More informationL13. Reviews. Rocky K. C. Chang, April 10, 2015
L13. Reviews Rocky K. C. Chang, April 10, 2015 1 Foci of this course Understand the 3 fundamental cryptographic functions and how they are used in network security. Understand the main elements in securing
More informationCryptography. Andreas Hülsing. 6 September 2016
Cryptography Andreas Hülsing 6 September 2016 1 / 21 Announcements Homepage: http: //www.hyperelliptic.org/tanja/teaching/crypto16/ Lecture is recorded First row might be on recordings. Anything organizational:
More informationLecture 8: Cryptography in the presence of local/public randomness
Randomness in Cryptography Febuary 25, 2013 Lecture 8: Cryptography in the presence of local/public randomness Lecturer: Yevgeniy Dodis Scribe: Hamidreza Jahanjou So far we have only considered weak randomness
More informationHOST Authentication Overview ECE 525
Authentication Overview Authentication refers to the process of verifying the identity of the communicating principals to one another Usually sub-divided into Entity authentication Authentication in real-time
More informationRelaxing IND-CCA: Indistinguishability Against Chosen. Chosen Ciphertext Verification Attack
Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Indian Statistical Institute Kolkata January 14, 2012 Outline 1 Definitions Encryption Scheme IND-CPA IND-CCA IND-CCVA
More informationMutual Authentication in RFID
Mutual Authentication in RFID Security and Privacy Radu-Ioan Paise EPFL CH-1015 Lausanne, Switzerland radu-ioan.paise@epfl.ch Serge Vaudenay EPFL CH-1015 Lausanne, Switzerland serge.vaudenay@epfl.ch ABSTRACT
More informationMACHINE READABLE TRAVEL DOCUMENTS
MACHINE READABLE TRAVEL DOCUMENTS TECHNICAL REPORT Supplemental Access Control for Machine Readable Travel Documents Version 1.1 Date 15 April 2014 Published by authority of the Secretary General ISO/IEC
More information(a) Symmetric model (b) Cryptography (c) Cryptanalysis (d) Steganography
Code No: RR410504 Set No. 1 1. Write short notes on (a) Symmetric model (b) Cryptography (c) Cryptanalysis (d) Steganography 3. (a) Illustrate Diffie-hellman Key Exchange scheme for GF(P) [6M] (b) Consider
More informationCryptography CS 555. Topic 8: Modes of Encryption, The Penguin and CCA security
Cryptography CS 555 Topic 8: Modes of Encryption, The Penguin and CCA security 1 Reminder: Homework 1 Due on Friday at the beginning of class Please typeset your solutions 2 Recap Pseudorandom Functions
More informationLecture 3.4: Public Key Cryptography IV
Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2012 Nitesh Saxena Course Administration HW1 submitted Trouble with BB Trying to check with BB support HW1 solution will be posted very soon
More informationThis chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest
1 2 3 This chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest PKCS, Diffie- Hellman key exchange. This first published
More informationComputer Security: Principles and Practice
Computer Security: Principles and Practice Chapter 2 Cryptographic Tools First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Cryptographic Tools cryptographic algorithms
More informationAuthenticated encryption
Authenticated encryption Mac forgery game M {} k R 0,1 s m t M M {m } t mac k (m ) Repeat as many times as the adversary wants (m, t) Wins if m M verify m, t = 1 Mac forgery game Allow the adversary to
More informationBrief Introduction to Provable Security
Brief Introduction to Provable Security Michel Abdalla Département d Informatique, École normale supérieure michel.abdalla@ens.fr http://www.di.ens.fr/users/mabdalla 1 Introduction The primary goal of
More informationPublic-Key Cryptography
Computer Security Spring 2008 Public-Key Cryptography Aggelos Kiayias University of Connecticut A paradox Classic cryptography (ciphers etc.) Alice and Bob share a short private key using a secure channel.
More informationOn RFID authentication protocols with widestrong
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2013 On RFID authentication protocols with widestrong
More informationSecurity of Cryptosystems
Security of Cryptosystems Sven Laur swen@math.ut.ee University of Tartu Formal Syntax Symmetric key cryptosystem m M 0 c Enc sk (m) sk Gen c sk m Dec sk (c) A randomised key generation algorithm outputs
More informationHomework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.
Homework 2: Symmetric Crypto February 17, 2015 Submission policy. information: This assignment MUST be submitted as a PDF via websubmit and MUST include the following 1. List of collaborators 2. List of
More informationMessage Authentication and Hash function
Message Authentication and Hash function Concept and Example 1 Approaches for Message Authentication Encryption protects message against passive attack, while Message Authentication protects against active
More informationBCA III Network security and Cryptography Examination-2016 Model Paper 1
Time: 3hrs BCA III Network security and Cryptography Examination-2016 Model Paper 1 M.M:50 The question paper contains 40 multiple choice questions with four choices and student will have to pick the correct
More informationAttribute-based Credentials on Smart Cards
Attribute-based Credentials on Smart Cards ir. Pim Vullers p.vullers@cs.ru.nl Privacy & Identity Lab Institute for Computing and Information Sciences Digital Security SaToSS Research Meeting 28th February
More informationCS408 Cryptography & Internet Security
CS408 Cryptography & Internet Security Lectures 16, 17: Security of RSA El Gamal Cryptosystem Announcement Final exam will be on May 11, 2015 between 11:30am 2:00pm in FMH 319 http://www.njit.edu/registrar/exams/finalexams.php
More informationBlock ciphers, stream ciphers
Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof. Raluca Ada Popa Jan 31, 2018 Announcements Project 1 is out, due Feb 14 midnight Recall: Block cipher A
More informationOverview of Cryptography
18739A: Foundations of Security and Privacy Overview of Cryptography Anupam Datta CMU Fall 2007-08 Is Cryptography A tremendous tool The basis for many security mechanisms Is not The solution to all security
More informationPassword Authenticated Key Exchange by Juggling
A key exchange protocol without PKI Feng Hao Centre for Computational Science University College London Security Protocols Workshop 08 Outline 1 Introduction 2 Related work 3 Our Solution 4 Evaluation
More informationAuth. Key Exchange. Dan Boneh
Auth. Key Exchange Review: key exchange Alice and want to generate a secret key Saw key exchange secure against eavesdropping Alice k eavesdropper?? k This lecture: Authenticated Key Exchange (AKE) key
More informationCryptographic Approach to Privacy-Friendly Tags
Cryptographic Approach to Privacy-Friendly Tags Miyako Ohkubo, Koutarou Suzuki, and Shingo Kinoshita NTT Laboratories Nippon Telegraph and Telephone Corporation 2003.11.15 RFID Privacy Workshop MIT Outline
More informationMTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems
MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov October 31, 2005 Abstract Standard security assumptions (IND-CPA, IND- CCA) are explained. A number of cryptosystems
More informationAcronyms. International Organization for Standardization International Telecommunication Union ITU Telecommunication Standardization Sector
Acronyms 3DES AES AH ANSI CBC CESG CFB CMAC CRT DoS DEA DES DoS DSA DSS ECB ECC ECDSA ESP FIPS IAB IETF IP IPsec ISO ITU ITU-T Triple DES Advanced Encryption Standard Authentication Header American National
More informationPublic-Key Cryptography for RFID Tags
Public-Key Cryptography for RFID Tags L. Batina 1, T. Kerins 2, N. Mentens 1, Pim Tuyls 2, Ingrid Verbauwhede 1 1 Katholieke Universiteit Leuven, ESAT/COSIC, Belgium 2 Philips Research Laboratories, Eindhoven,
More informationIntroduction. Cambridge University Press Mathematics of Public Key Cryptography Steven D. Galbraith Excerpt More information
1 Introduction Cryptography is an interdisciplinary field of great practical importance. The subfield of public key cryptography has notable applications, such as digital signatures. The security of a
More informationsymmetric cryptography s642 computer security adam everspaugh
symmetric cryptography s642 adam everspaugh ace@cs.wisc.edu computer security Announcement Midterm next week: Monday, March 7 (in-class) Midterm Review session Friday: March 4 (here, normal class time)
More informationKey Agreement Schemes
Key Agreement Schemes CSG 252 Lecture 9 November 25, 2008 Riccardo Pucella Key Establishment Problem PK cryptosystems have advantages over SK cryptosystems PKCs do not need a secure channel to establish
More informationCryptography. Lecture 12. Arpita Patra
Cryptography Lecture 12 Arpita Patra Digital Signatures q In PK setting, privacy is provided by PKE q Integrity/authenticity is provided by digital signatures (counterpart of MACs in PK world) q Definition:
More informationComputer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 10r. Recitation assignment & concept review Paul Krzyzanowski Rutgers University Spring 2018 April 3, 2018 CS 419 2018 Paul Krzyzanowski 1 1. What is a necessary condition for perfect
More informationAnonymity. Assumption: If we know IP address, we know identity
03--4 Anonymity Some degree of anonymity from using pseudonyms However, anonymity is always limited by address TCP will reveal your address address together with ISP cooperation Anonymity is broken We
More informationHash Proof Systems and Password Protocols
Hash Proof Systems and Password Protocols II Password-Authenticated Key Exchange David Pointcheval CNRS, Ecole normale supe rieure/psl & INRIA 8th BIU Winter School Key Exchange February 2018 CNRS/ENS/PSL/INRIA
More informationLecture 20 Public key Crypto. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller and Bailey s ECE 422
Lecture 20 Public key Crypto Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller and Bailey s ECE 422 Review: Integrity Problem: Sending a message over an untrusted
More informationInternet Engineering Task Force (IETF) Category: Informational ISSN: October 2013
Internet Engineering Task Force (IETF) J. Merkle Request for Comments: 7027 secunet Security Networks Updates: 4492 M. Lochter Category: Informational BSI ISSN: 2070-1721 October 2013 Abstract Elliptic
More informationCSE 127: Computer Security Cryptography. Kirill Levchenko
CSE 127: Computer Security Cryptography Kirill Levchenko October 24, 2017 Motivation Two parties want to communicate securely Secrecy: No one else can read messages Integrity: messages cannot be modified
More informationApplied Cryptography and Computer Security CSE 664 Spring 2018
Applied Cryptography and Computer Security Lecture 13: Public-Key Cryptography and RSA Department of Computer Science and Engineering University at Buffalo 1 Public-Key Cryptography What we already know
More informationCSC 5930/9010 Modern Cryptography: Public-Key Infrastructure
CSC 5930/9010 Modern Cryptography: Public-Key Infrastructure Professor Henry Carter Fall 2018 Recap Digital signatures provide message authenticity and integrity in the public-key setting As well as public
More informationAn efficient and provably secure RFID grouping proof protocol
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2017 An efficient and provably secure RFID grouping
More informationMTAT Cryptology II. Entity Authentication. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Entity Authentication Sven Laur University of Tartu Formal Syntax Entity authentication pk (sk, pk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) Is it Charlie?
More informationCryptography and Network Security
Cryptography and Network Security Spring 2012 http://users.abo.fi/ipetre/crypto/ Lecture 14: Folklore, Course summary, Exam requirements Ion Petre Department of IT, Åbo Akademi University 1 Folklore on
More informationCryptographic protocols
Cryptographic protocols Lecture 3: Zero-knowledge protocols for identification 6/16/03 (c) Jussipekka Leiwo www.ialan.com Overview of ZK Asymmetric identification techniques that do not rely on digital
More informationCryptography. Recall from last lecture. [Symmetric] Encryption. How Cryptography Helps. One-time pad. Idea: Computational security
Recall from last lecture Cryptography To a first approximation, attackers control network Next two lectures: How to defend against this 1. Communicate securely despite insecure networks cryptography 2.
More informationDistributed ID-based Signature Using Tamper-Resistant Module
, pp.13-18 http://dx.doi.org/10.14257/astl.2013.29.03 Distributed ID-based Signature Using Tamper-Resistant Module Shinsaku Kiyomoto, Tsukasa Ishiguro, and Yutaka Miyake KDDI R & D Laboratories Inc., 2-1-15,
More informationEfficient chosen ciphertext secure PKE scheme with short ciphertext
Efficient chosen ciphertext secure PKE scheme with short ciphertext Xianhui Lu 1, Xuejia Lai 2, Dake He 1, Guomin Li 1 Email:lu xianhui@gmail.com 1:School of Information Science & Technology, SWJTU, Chengdu,
More informationIntroduction to Public-Key Cryptography
Introduction to Public-Key Cryptography Nadia Heninger University of Pennsylvania June 11, 2018 We stand today on the brink of a revolution in cryptography. Diffie and Hellman, 1976 Symmetric cryptography
More informationAuthenticated Encryption in TLS
Authenticated Encryption in TLS Same modelling & verification approach concrete security: each lossy step documented by a game and a reduction (or an assumption) on paper Standardized complications - multiple
More informationCRYPTOGRAPHY KNOWLEDGE AREA (DRAFT FOR COMMENT) EDITOR: George Danezis University College London
CRYPTOGRAPHY KNOWLEDGE AREA (DRAFT FOR COMMENT) AUTHOR: Nigel Smart KU Leuven EDITOR: George Danezis University College London REVIEWERS: Dan Bogdanov - Cybernetica Kenny Patterson Royal Holloway, University
More informationUnderstand the TLS handshake Understand client/server authentication in TLS. Understand session resumption Understand the limitations of TLS
Last Updated: Oct 31, 2017 Understand the TLS handshake Understand client/server authentication in TLS RSA key exchange DHE key exchange Explain certificate ownership proofs in detail What cryptographic
More informationChip Authentication for E-Passports: PACE with Chip Authentication Mapping v2
v.2 Chip Authentication for s: with Chip Authentication Mapping v2 Lucjan Mirosław Wrocław University of Science and Technology, Poland ISC 2016, Honolulu Electronic Passport v.2 e-passport and ebooth:
More informationAsymmetric Primitives. (public key encryptions and digital signatures)
Asymmetric Primitives (public key encryptions and digital signatures) An informal, yet instructive account of asymmetric primitives Timeline of the invention of public-key cryptography 1970-1974 British
More informationNIST Post- Quantum Cryptography Standardiza9on
NIST Post- Quantum Cryptography Standardiza9on Lily Chen Cryptographic Technology Group Computer Security Division, Informa9on Technology Lab Na9onal Ins9tute of Standards and Technology (NIST) NIST Crypto
More informationBlock ciphers. CS 161: Computer Security Prof. Raluca Ada Popa. February 26, 2016
Block ciphers CS 161: Computer Security Prof. Raluca Ada Popa February 26, 2016 Announcements Last time Syntax of encryption: Keygen, Enc, Dec Security definition for known plaintext attack: attacker provides
More informationSummary on Crypto Primitives and Protocols
Summary on Crypto Primitives and Protocols Levente Buttyán CrySyS Lab, BME www.crysys.hu 2015 Levente Buttyán Basic model of cryptography sender key data ENCODING attacker e.g.: message spatial distance
More informationLecture 18 Message Integrity. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422
Lecture 18 Message Integrity Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422 Cryptography is the study/practice of techniques for secure communication,
More informationACTION: Breaking the Privacy Barrier for RFID Systems
Ad Hoc & Sensor Wireless Networks, Vol. 24, pp. 135 159 Reprints available directly from the publisher Photocopying permitted by license only 2014 Old City Publishing, Inc. Published by license under the
More informationCSC 5930/9010 Modern Cryptography: Cryptographic Hashing
CSC 5930/9010 Modern Cryptography: Cryptographic Hashing Professor Henry Carter Fall 2018 Recap Message integrity guarantees that a message has not been modified by an adversary Definition requires that
More informationLecture 8 - Message Authentication Codes
Lecture 8 - Message Authentication Codes Benny Applebaum, Boaz Barak October 12, 2007 Data integrity Until now we ve only been interested in protecting secrecy of data. However, in many cases what we care
More informationAn efficient and practical solution to secure password-authenticated scheme using smart card
An efficient and practical solution to secure password-authenticated scheme using smart card R. Deepa 1, R. Prabhu M.Tech 2, PG Research scholor 1, Head of the Department 2 Dept.of Information Technology,
More informationThe OCB Authenticated-Encryption Algorithm
The OCB Authenticated-Encryption Algorithm Ted Krovetz California State University, Sacramento, USA Phillip Rogaway University of California, Davis, USA IETF 83 Paris, France CFRG 11:20-12:20 in 212/213
More informationStandardisation efforst in lightweight cryptography
Standardisation efforts in lighweight cryptography February 2, 2014 Outline Motivation for standardisation. Keeloq. Standardisation processes and structures at ISO. What is in the ISO standards currently?
More informationCRYPTOGRAPHY KNOWLEDGE AREA. Issue 1.0. EDITOR: George Danezis University College London
CRYPTOGRAPHY KNOWLEDGE AREA Issue 1.0 AUTHOR: Nigel Smart KU Leuven EDITOR: George Danezis University College London REVIEWERS: Dan Bogdanov - Cybernetica Kenny Patterson Royal Holloway, University of
More informationASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1
ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters
More informationHomework 3: Solution
Homework 3: Solution March 28, 2013 Thanks to Sachin Vasant and Xianrui Meng for contributing their solutions. Exercise 1 We construct an adversary A + that does the following to win the CPA game: 1. Select
More informationTechnological foundation
Technological foundation Carte à puce et Java Card 2010-2011 Jean-Louis Lanet Jean-louis.lanet@unilim.fr Cryptology Authentication Secure upload Agenda Cryptology Cryptography / Cryptanalysis, Smart Cards
More informationLecture 15: Public Key Encryption: I
CSE 594 : Modern Cryptography 03/28/2017 Lecture 15: Public Key Encryption: I Instructor: Omkant Pandey Scribe: Arun Ramachandran, Parkavi Sundaresan 1 Setting In Public-key Encryption (PKE), key used
More informationOn the Security of a Certificateless Public-Key Encryption
On the Security of a Certificateless Public-Key Encryption Zhenfeng Zhang, Dengguo Feng State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences, Beijing 100080,
More informationCS 395T. Formal Model for Secure Key Exchange
CS 395T Formal Model for Secure Key Exchange Main Idea: Compositionality Protocols don t run in a vacuum Security protocols are typically used as building blocks in a larger secure system For example,
More informationMTAT Cryptology II. Commitment Schemes. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Commitment Schemes Sven Laur University of Tartu Formal Syntax m M 0 (c,d) Com pk (m) pk Canonical use case Gen c d pk m Open pk (c,d) A randomised key generation algorithm Gen
More informationCS155. Cryptography Overview
CS155 Cryptography Overview Cryptography! Is n A tremendous tool n The basis for many security mechanisms! Is not n The solution to all security problems n Reliable unless implemented properly n Reliable
More informationProofs for Key Establishment Protocols
Information Security Institute Queensland University of Technology December 2007 Outline Key Establishment 1 Key Establishment 2 3 4 Purpose of key establishment Two or more networked parties wish to establish
More informationCryptography. and Network Security. Lecture 0. Manoj Prabhakaran. IIT Bombay
Cryptography and Network Security Lecture 0 Manoj Prabhakaran IIT Bombay Security In this course: Cryptography as used in network security Humans, Societies, The World Network Hardware OS Libraries Programs
More informationMessage Authentication ( 消息认证 )
Message Authentication ( 消息认证 ) Sheng Zhong Yuan Zhang Computer Science and Technology Department Nanjing University 2017 Fall Sheng Zhong, Yuan Zhang (CS@NJU) Message Authentication ( 消息认证 ) 2017 Fall
More informationProvably Secure and Efficient Cryptography
Provably Secure and Efficient Cryptography Tsuyoshi TAKAGI TU Darmstadt ttakagi@cdc.informatik.tu-darmstadt.de http://www.informatik.tu-darmstadt.de/ti/ Contents Overview NICE Cryptosystem Provable Security
More informationASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1
ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters
More information