Digital Signatures. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 54
|
|
- Beverly Reeves
- 6 years ago
- Views:
Transcription
1 Digital Signatures Ali El Kaafarani Mathematical Institute Oxford University 1 of 54
2 Outline 1 Definitions 2 Factoring Based Signatures 3 Dlog Based Signatures 4 Hash-Based Signatures 5 Certificates 6 SSL/TLS 2 of 54
3 An Overview Digital signatures are used to provide Integrity (or authenticity) in the public key setting. For instance, software companies use them to allow the clients to verify that the software updates are authentic. Companies simply sign their updates using their secret keys, and clients can then verify the authenticity of the updates by verifying the validity of the signatures against the companies public keys, that are already known to the clients. 3 of 54
4 An Overview If a signature σ on a message m is verified correctly against a given public key PK, it ensures that the message was indeed sent by the owner of this public key (already known to potential verifiers) and the message was NOT modified in transit. Non-repudiation: signers cannot deny having signed a message. In comparison to message authentication codes (MACs); Key distribution and management is hugely simplified. Signatures are publicly verifiable they are transferable (essential for certificates). MACs are shorter and more efficient to generate/verify. 4 of 54
5 Syntax A digital signature scheme S consists of the following PPT algorithms: KeyGen(1 n ): it takes the security parameter as input and returns a pair of keys (PK, SK), the public key PK and its matching secret key SK. Sign(SK, m): it takes a secret key SK, a message m and returns a signature σ. Verify(PK, m, σ): A deterministic algorithm that takes the public key PK and a signature σ, and returns a bit, 1 for valid signatures and 0 for invalid ones. 5 of 54
6 Security Definition: Unforgeability Experiment Algorithm (Unforg A,S (n)) KeyGen(1 n ): returns the keys (PK, SK). Signing Queries: the adversary A is given access to a signing oracle Sign(SK, ). Let Q be the set of all messages that A asked its oracle to sign. A s output: a pair (m, σ ). If Verify(PK, m, σ ) = 1 and m Q, return 1, else return 0. 6 of 54
7 Security Definition: Unforgeability Experiment Definition A signature scheme S = (KeyGen, Sign, Verify) is existentially unforgeable under an adaptive chosen-message attack, if for all PPT adversaries A, we have Pr[Unforg A,S (n) = 1] negl(n) 7 of 54
8 Hash-and-Sign Paradigm Let S = (KeyGen, Sign, Verify) a digital signature scheme for messages of length l(n) and H a hash function with output length l(n). We define a signature scheme S = (KeyGen, Sign, Verify ) for arbitrary length messages as follows: KeyGen (1 n ): it runs KeyGen(1 n ) to get a pair of keys (PK, SK), and KeyGen H (1 n ) to get s. Sign (SK, m): it takes the keys (s, SK), a message m {0, 1} and returns a signature σ := Sign(SK, H s (m)). Verify (PK, s, m, σ): it that takes the public keys (s, PK), a message m and a signature σ, it returns 1 iff Verify(PK, H s (m), σ) = 1. 8 of 54
9 Outline 1 Definitions 2 Factoring Based Signatures 3 Dlog Based Signatures 4 Hash-Based Signatures 5 Certificates 6 SSL/TLS 9 of 54
10 RSA Signatures: Plain RSA We define the plain RSA signatures as follows: KeyGen(1 n ): it takes the security parameter n as input and returns a modulus N, a product of two n-bit primes, p, q. It also outputs two integers e, d s.t. e d = 1 mod φ(n). PK = (N, e) and SK = (N, d) as the secret key. Sign(SK, m): it takes a secret key SK, a message m Z N and returns a signature σ := m d mod N Verify(PK, m, σ): it takes the public key PK and a signature σ, and a message m and returns a bit, 1 iff m = σ e mod N 10 of 54
11 Security Analysis of Plain RSA Same problem with the m being uniform. What about forging signatures on messages that the adversary can choose? No message attack: given a public key (N, e), pick σ Z N, and compute the message as m σ e mod N, output the forgery (m, σ). Malleability: knowing two valid signatures on two messages m 1, m 2, we can construct a valid signature on a new message m = m 1 m 2 as follows; σ σ 1 σ 2 mod N. 11 of 54
12 RSA-Full Domain Hash (RSA-FDH) We define the RSA-FDH signature scheme as follows: KeyGen(1 n ): it takes the security parameter n as input and returns a modulus N, a product of two n-bit primes, p, q. It also outputs two integers e, d s.t. e d = 1 mod φ(n). PK = (N, e) and SK = (N, d) as the secret key. It also generates a function H : {0, 1} Z N. Sign(SK, m): it takes a secret key SK, a message m Z N and returns a signature σ := H(m) d mod N Verify(PK, m, σ): it takes the public key PK and a signature σ, and a message m and returns a bit, 1 iff 12 of 54 H(m) = σ e mod N
13 Security of (RSA-FDH) Theorem If the RSA problem is hard and H is modelled as a random oracle, then the digital signature RSA-FDH is secure. 13 of 54
14 Security of (RSA-FDH) Proof. Let A be a PPT adversary, we make the following assumptions during the security proof: If A queries the signing oracle for a signature on a message m, then it previously queried m to H. Same when A outputs a forgery (m, σ). A makes exactly q(n) distinct queries to H. We will build an adversary A that can solve the RSA problem as follows: 14 of 54
15 Security of (RSA-FDH) Proof. A (N, e, y): Choose uniform j {1,, q} Send pk = (N, e) to A. Manage a storage table for triples of the form (m i, σ i, y i ) which means that A has set H(m i ) = y i, where σi e = y i mod N. Hash queries: When A makes its i-th queries, answer as follows: if i = j, answer the query by y. else Choose a uniform σ i Z N, compute y i σi e mod N, store the tuple (m i, σ i, y i ) in the table and return y i. 15 of 54
16 Security of (RSA-FDH) Proof. Signing queries: When A makes its signing queries on m, so m = m i is already in the hash queries table, answer it as follows: if i = j, then aborts. else find the entry (m i, σ i, y i ) from the table, and return σ i to A. Finally, A outputs its forgery (m, σ). If m = m j and σ e = y mod N, then output σ as an answer to the RSA problem. We observe that; Pr[RSA-Exp A ] = Pr[Unforg A,S (n)] q(n) 16 of 54
17 More on RSA-FDH Included in the RSA PKCS #1 v2.1 standards. Some practical attacks on RSA-FDH are known if H has small output length. Therefore, cryptographic hash functions such as SHA-1 are not suitable. 17 of 54
18 Outline 1 Definitions 2 Factoring Based Signatures 3 Dlog Based Signatures 4 Hash-Based Signatures 5 Certificates 6 SSL/TLS 18 of 54
19 Schnorr Identification Scheme A three round interactive protocol that can be used to allow one party to authenticate itself. We will have two parties, a prover (e.g. a user ) and a verifier (e.g a web server). Security of an identification scheme: Given an adversary that can eavesdrop on multiple executions of the protocol and who doesn t know the prover s secret key, he should NOT be able to fool the verifier into accepting. 19 of 54
20 Schnorr Identification Scheme Prover(x) Verifier(G, q, g, y = g x ) k $ Z q I g k I Challenge c $ Z q c s [cx + k mod q] s 20 of 54 g s y c? = I
21 Security of Schnorr Identification Scheme Theorem If Dlog is hard in G, then Schnorr identification is secure. Sketch proof. Assuming that the adversary can, on input y G, output a response s for any challenge c with high probability, then it can in particular respond with correct responses s 1, s 2 to two distinct challenge values c 1, c 2 Z q. But this means that we now have g s1 y c 1 = I = g s2 y c 2 And therefore, one can compute the Dlog problem by finding 21 of 54 y = g s 2 s 1 c 2 c 1.
22 Security of Schnorr Identification Scheme Sketch proof. What about the fact that the adversary is passively eavesdropping on the executions of the protocol? Does learning an honest transcript (I, r, s) help anyway? We show that the adversary can simulate the transcript himself by reversing the order of the steps: Choose uniform and independent c, s Z q Set I := g s y c. The transcript (I, r, s ) is indistinguishable from an honest one! 1 This is essential in the Zero-Knowledge Proofs topic. 22 of 54
23 Fiat-Shamir Transform It can be used to transform an interactive identification scheme into a non-interactive signature scheme. The signer runs the whole protocol by itself. It applies a hash function to (m, I) in order to generate the challenge c. The signature on m is now (c, s). The verifier can recompute I and check if the c = H(I, m). 23 of 54
24 The Schnorr Signature Scheme KeyGen(1 n ): it takes the security parameter n as input and returns (G, q, g). It chooses a uniform x Z q and sets y = g x. the secret key is SK = x whereas the public key is PK = (G, q, g, y). It also generates a hash function H : {0, 1} Z q. Sign(SK, m {0, 1} ): it takes a secret key SK and a message m Z N, it then chooses a uniform k Z q and sets I = g k. It computes c := H(I, m) and [s := cx + k mod q]. It finally returns a signature σ := (c, s) Verify(PK, m, σ): it takes the public key PK and a signature σ, and a message m and computes I := g s y c and output 1 if 24 of 54 H(I, m)? = c
25 Security of the Schnorr Signature Scheme Theorem If the Dlog is hard in G and H is modelled as a random oracle, then the Schnorr signature scheme is secure. 25 of 54
26 Digital Signature Algorithm (DSA) and (ECDSA) Some of their versions go back to Both in the Digital Signature Standard (DSS) published by NIST. They are based on some identification scheme that are secure if Dlog is hard. 26 of 54
27 DSA: underlying identification scheme Prover(x) Verifier(G, q, g, y = g x ) k $ Z q I g k I c, α Challenge c, α $ Z q s [k 1 (α + xc) mod q] s s? 0 27 of 54 g αs 1 y cs 1? = I
28 DSA: underlying identification scheme Correctness of the scheme: It is correct as long as s 0, which only happens if α = xc mod q. The probability that this happens is negligible. Security: based on the hardness of Dlog. Assume that the attacker, and after he outputs an initial message I, he can output correct responses (s 1, s 2 ) for two different challenges (α, c 1 ) and (α, c 2 ). Exercise: compute log g y. 28 of 54
29 DSA KeyGen(1 n ): it takes the security parameter n as input and returns (G, q, g). It chooses a uniform x Z q and sets y = g x. the secret key is SK = x whereas the public key is PK = (G, q, g, y). It also generates two functions H : {0, 1} Z q and F : G Z q. Sign(SK, m {0, 1} ): it takes a secret key SK and a message m Z N, it then chooses a uniform k Z q and sets c := F(g k ). It computes s := [k 1 (H(m) + xc) mod q]. If s = 0 or c = 0 start again by choosing a fresh k. It finally returns the signature σ := (c, s). Verify(PK, m, σ): it takes the public key PK and a signature σ with c, s 0, and a message m. It output 1 if g H(m) s 1 y c s 1? = c 29 of 54
30 Security of DSA/ECDSA Can be proven secure assuming the we model H and F as random oracles. Fine with H, but not with F. No known proofs for F as it is specified in the standard. Choosing k properly is crucial. Knowing k, you can recover the secret key x (check it!). Using the same k for different signatures is very bad! This is what the hackers did to recover the master secret key of Sony PS3 in 2010! 30 of 54
31 Pairings based signatures Boneh-Lynn-Shacham signatures. Boneh-Boyen signatures of 54
32 Outline 1 Definitions 2 Factoring Based Signatures 3 Dlog Based Signatures 4 Hash-Based Signatures 5 Certificates 6 SSL/TLS 32 of 54
33 Hash-Based Signatures Signature schemes that are based on hash functions. No reliance on number-theoretic hardness assumptions. No reliance on random oracles. Believed to be post-quantum secure. 33 of 54
34 Lamport s Signature Scheme It is a one-time secure signature scheme. This was introduced by Leslie Lamport in By one-time we mean that the adversary can only query the signing oracle on exactly one message. One-time secure signatures are usually used to build other cryptosystems (including digital signatures) that achieve stronger notions of security. 34 of 54
35 Lamport s Signature Scheme Example (Katz-Lindell book) Let s consider the example of a 3-bit message. Let the private key and public keys be as follows: ( ) ( ) y1,0 y PK = 2,0 y 3,0 x1,0 x SK = 2,0 x 3,0 y 1,1 y 2,1 y 3,1 x 1,1 x 2,1 x 3,1 {x i,j } are chosen uniformly at random from {0, 1} n and y i,j = H(x i,j ), for i = 1, 2, 3; j = 1, 2. Given m = 011, the signature will be σ = (x 1,0, x 2,1, x 3,1 ). Verification: given m = 011 and σ = (x 1,0, x 2,1, x 3,1 ), Check if 35 of 54 H(x 1,0 )? = y 1,0 H(x 2,1 )? = y 2,1 H(x 3,1 )? = y 3,0
36 Lamport s Signature Scheme How can an attacker forge the previous one-time scheme? 36 of 54
37 Lamport s Signature Scheme How can an attacker forge the previous one-time scheme? He can learn ONLY one signature on one message m of his choice. He has to output a signature on a new message m. The new signature will then involve some new x i,j, say x 1,1. This means that he managed to compute the preimage of y 1,1 that is a part of the public key. This can t happen if H is a one-way function, i.e. finding the preimage is computationally difficult. 36 of 54
38 Lamport s Signature Scheme Given a function H : {0, 1} {0, 1}, the Lamport s signature scheme for messages of length l(n) can be defined as follows: KeyGen(1 n ): it generates the following private and public keys: ( ) ( ) y1,0 y PK = 2,0... y l,0 x1,0 x SK = 2,0... x l,0 y 1,1 y 2,1... y l,1 x 1,1 x 2,1... x l,1 where {x i,j } are chosen uniformly at random from {0, 1} n and y i,j = H(x i,j ), for i = 1,..., l; j = 1, 2. Sign(SK, m {0, 1} l ) : the signature will be σ = (x 1,m1,..., x l,ml ), where m = m 1... m l Verify(m, σ, PK): on input m = m 1... m l and σ = (x 1,..., x l ), output 1 iff 37 of 54 H(x i )? = y i,mi, i [1, l]
39 Security of Lamport s Signature Scheme Theorem If H is a one-way function, then the Lamport s signature scheme is a one-time secure signature scheme. 38 of 54
40 Outline 1 Definitions 2 Factoring Based Signatures 3 Dlog Based Signatures 4 Hash-Based Signatures 5 Certificates 6 SSL/TLS 39 of 54
41 Certificates It solves the problem of distribution of public keys. A trusted party is needed to start the process. Then we can distribute arbitrarily many different public keys. A digital certificate is a digital signature that binds an entity to a certain public key. Assume that we have two parties Alice (PK A, SK A ) and Bob (PK B, SK B ). We also assume that Alice knows PK B. Alice can issue a certificate for Bob s key as follows: cert A B := Sign(SK A, Bob s key is PK B ) More identifying information about Bob are usually included in the certificate! 40 of 54
42 Certificates and Public Key Infrastructure (PKI) In the simplest form of PKI, we have at least one Certificate Authority (CA). A CA is a company (or a government agency) that certifies public keys. Everybody has to get a legitimate copy of PK CA. The easiest way to distribute PK CA is by physical means, e.g. USB stick (for new employees). Other ways include embedding CA s public key in the browser. Now if Charlie receives cert CA B, he will be sure that the signed public key, i.e. PK B, does indeed belong to Bob. 41 of 54
43 Certificates and Public Key Infrastructure (PKI) Delegations and certificate chains: a root CA can issue certificates to other CAs, say CA1, CA2, etc., that says: CA1 s public key is PK CA1 and is trusted to issue other certificate The web of trust model: a decentralized model- no reliance on a root CA. Pretty Good Privacy (PGP) is an example of this model. It is an -encryption software for distribution of public keys. Invalidating Certificates: Expiration: you can include an expiry date in the certificate. Revocation: you can include a serial number in the certificate, so that you can include in a certificate revocation list (CRL) that will be updated regularly. 42 of 54
44 Outline 1 Definitions 2 Factoring Based Signatures 3 Dlog Based Signatures 4 Hash-Based Signatures 5 Certificates 6 SSL/TLS 43 of 54
45 SSL/TLS Secure Socket layer (SSL) is the old version that was developed by Netscape around mid-1990s. Transport Layer Security (TLS) is its new version. Major websites now support the (TLS 1.2), although 50% of the websites still use TLS1.0! A given client (web browser) and a given server (website), can use TLS to agree on some shared keys which they will use to encrypt and authenticate their communication. 44 of 54
46 SSL/TLS TLS consists of two phases: The handshake protocol: it performs an authenticated key exchange mechanism to establish the shared keys. The record layer protocol: it usually uses the shared keys to encrypt/authenticate the communication between parties. It first authenticates servers (that have certificates) to clients, and then clients, can authenticate themselves to servers at the application level by using passwords. (Next slide s diagrams from and 45 of 54
47 46 of 54
48 47 of 54
49 The Handshake Protocol-1 Step 1:C S: (ciphersuites, nonce N C ). % A nonce is a uniform value. Step 2: S C: (Latest version of TLS it supports, ciphersuites, PK S, cert i S, nonce N S ). Step 3: C verifies the certificate against the PK of CA i, it makes sure it is not revoked or expired. If it is valid, it will use PK S as the server s public key. (c, pmk) Encaps PKS (1 n ) mk key-derivation function(pmk, N C, N S ) (k C, k C, k S, k S) PRG(mk) τ C MAC mk (transcript : all exchanged messages) C S: (c, τ C ) 48 of 54
50 The Handshake Protocol-2 Step 4: S computes pmk Decaps SKS (c). mk key-derivation function(pmk, N C, N S ). (k C, k C, k S, k S) PRG(mk). If Verify mk (transcript, τ C ) 1, then S aborts. Else τ S MAC mk (transcript ), transcript = transcript last message from C. S C: τ S Step 5: If Verify mk (transcript, τ S ) 1, C aborts. At the end of the handshake protocol, the client C and the server S share the following symmetric keys: k C, k C, k S, k S. 49 of 54
51 The Record-Layer Protocol C will use k C to encrypt and k C to authenticate all messages that it will send to S. S will do the same with k S and k S. They will use sequence numbers to prevent replay attacks. Note that even TLS 1.2 uses MAC-then-Encrypt approach, so no wonder why we have lots of attacks on TLS! 50 of 54
52 Further Reading (1) Carlisle Adams and Steve Lloyd. Understanding PKI: concepts, standards, and deployment considerations. Addison-Wesley Professional, Mihir Bellare and Phillip Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. In Proceedings of the 1st ACM conference on Computer and communications security, pages ACM, Dan Boneh, Ben Lynn, and Hovav Shacham. Short signatures from the weil pairing. Journal of cryptology, 17(4): , of 54
53 Further Reading (2) Tim Dierks. The transport layer security (TLS) protocol version Carl Ellison and Bruce Schneier. Ten risks of PKI: What you re not being told about public key infrastructure. Comput Secur J, 16(1):1 7, Amos Fiat and Adi Shamir. How to prove yourself: Practical solutions to identification and signature problems. In Advances in Cryptology CRYPTO 86, pages Springer, of 54
54 Further Reading (3) Martin Georgiev, Subodh Iyengar, Suman Jana, Rishita Anubhai, Dan Boneh, and Vitaly Shmatikov. The most dangerous code in the world: validating SSL certificates in non-browser software. In Proceedings of the 2012 ACM conference on Computer and communications security, pages ACM, Hugo Krawczyk. Cryptographic extraction and key derivation: The hkdf scheme. In Annual Cryptology Conference, pages Springer, of 54
55 Further Reading (4) Hugo Krawczyk, Kenneth G Paterson, and Hoeteck Wee. On the security of the TLS protocol: A systematic analysis. In Advances in Cryptology CRYPTO 2013, pages Springer, Leslie Lamport. Constructing digital signatures from a one-way function. Technical report, Technical Report CSL-98, SRI International Palo Alto, William Stallings. Network security essentials: applications and standards. Pearson Education India, of 54
CSC 5930/9010 Modern Cryptography: Public-Key Infrastructure
CSC 5930/9010 Modern Cryptography: Public-Key Infrastructure Professor Henry Carter Fall 2018 Recap Digital signatures provide message authenticity and integrity in the public-key setting As well as public
More informationCSC 5930/9010 Modern Cryptography: Digital Signatures
CSC 5930/9010 Modern Cryptography: Digital Signatures Professor Henry Carter Fall 2018 Recap Implemented public key schemes in practice commonly encapsulate a symmetric key for the rest of encryption KEM/DEM
More informationCryptography. Lecture 12. Arpita Patra
Cryptography Lecture 12 Arpita Patra Digital Signatures q In PK setting, privacy is provided by PKE q Integrity/authenticity is provided by digital signatures (counterpart of MACs in PK world) q Definition:
More informationIntroduction to Cryptography Lecture 10
Introduction to Cryptography Lecture 10 Digital signatures, Public Key Infrastructure (PKI) Benny Pinkas January 1, 2012 page 1 Non Repudiation Prevent signer from denying that it signed the message I.e.,
More informationReminder: Homework 4. Due: Friday at the beginning of class
Reminder: Homework 4 Due: Friday at the beginning of class 1 Cryptography CS 555 Topic 33: Digital Signatures Part 2 2 Recap El-Gamal/RSA-OAEP Digital Signatures Similarities and differences with MACs
More informationInformation Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1
Information Security message M one-way hash fingerprint f = H(M) 4/19/2006 Information Security 1 Outline and Reading Digital signatures Definition RSA signature and verification One-way hash functions
More informationCryptography Today. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 44
Cryptography Today Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 About the Course Regular classes with worksheets so you can work with some concrete examples (every Friday at 1pm).
More informationCristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.
CS355: Cryptography Lecture 17: X509. PGP. Authentication protocols. Key establishment. Public Keys and Trust Public Key:P A Secret key: S A Public Key:P B Secret key: S B How are public keys stored How
More informationVerifiably Encrypted Signature Scheme with Threshold Adjudication
Verifiably Encrypted Signature Scheme with Threshold Adjudication M. Choudary Gorantla and Ashutosh Saxena Institute for Development and Research in Banking Technology Road No. 1, Castle Hills, Masab Tank,
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Chapter 1: Overview What is Cryptography? Cryptography is the study of
More informationDigital Signatures. Luke Anderson. 7 th April University Of Sydney.
Digital Signatures Luke Anderson luke@lukeanderson.com.au 7 th April 2017 University Of Sydney Overview 1. Digital Signatures 1.1 Background 1.2 Basic Operation 1.3 Attack Models Replay Naïve RSA 2. PKCS#1
More informationASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1
ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters
More informationASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1
ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters
More informationChapter 12 : Digital Signature Schemes
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 12 : Digital Signature Schemes 1 Chapter 12 Digital Signature Schemes Apologies: all numbering
More informationLecture 10, Zero Knowledge Proofs, Secure Computation
CS 4501-6501 Topics in Cryptography 30 Mar 2018 Lecture 10, Zero Knowledge Proofs, Secure Computation Lecturer: Mahmoody Scribe: Bella Vice-Van Heyde, Derrick Blakely, Bobby Andris 1 Introduction Last
More informationCryptography V: Digital Signatures
Cryptography V: Digital Signatures Computer Security Lecture 10 David Aspinall School of Informatics University of Edinburgh 10th February 2011 Outline Basics Constructing signature schemes Security of
More informationCrypto meets Web Security: Certificates and SSL/TLS
CSE 484 / CSE M 584: Computer Security and Privacy Crypto meets Web Security: Certificates and SSL/TLS Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,
More informationCertificateless Public Key Cryptography
Certificateless Public Key Cryptography Mohsen Toorani Department of Informatics University of Bergen Norsk Kryptoseminar November 9, 2011 1 Public Key Cryptography (PKC) Also known as asymmetric cryptography.
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously Exchanging keys and public key encryption Public Key Encryption pk sk Public Key Encryption pk cß Enc(pk,m) sk m Public
More informationPublic-Key Infrastructure NETS E2008
Public-Key Infrastructure NETS E2008 Many slides from Vitaly Shmatikov, UT Austin slide 1 Authenticity of Public Keys? private key Alice Bob public key Problem: How does Alice know that the public key
More informationIntroduction. Cambridge University Press Mathematics of Public Key Cryptography Steven D. Galbraith Excerpt More information
1 Introduction Cryptography is an interdisciplinary field of great practical importance. The subfield of public key cryptography has notable applications, such as digital signatures. The security of a
More informationCryptographic protocols
Cryptographic protocols Lecture 3: Zero-knowledge protocols for identification 6/16/03 (c) Jussipekka Leiwo www.ialan.com Overview of ZK Asymmetric identification techniques that do not rely on digital
More informationKey Exchange. References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings
Key Exchange References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings Outlines Primitives Root Discrete Logarithm Diffie-Hellman ElGamal Shamir s Three Pass
More informationLecture 2 Applied Cryptography (Part 2)
Lecture 2 Applied Cryptography (Part 2) Patrick P. C. Lee Tsinghua Summer Course 2010 2-1 Roadmap Number theory Public key cryptography RSA Diffie-Hellman DSA Certificates Tsinghua Summer Course 2010 2-2
More informationDigital Signatures. KG November 3, Introduction 1. 2 Digital Signatures 2
Digital Signatures KG November 3, 2017 Contents 1 Introduction 1 2 Digital Signatures 2 3 Hash Functions 3 3.1 Attacks.................................... 4 3.2 Compression Functions............................
More informationChapter 9: Key Management
Chapter 9: Key Management Session and Interchange Keys Key Exchange Cryptographic Key Infrastructure Storing and Revoking Keys Digital Signatures Slide #9-1 Overview Key exchange Session vs. interchange
More informationIdentification Schemes
Identification Schemes Lecture Outline Identification schemes passwords one-time passwords challenge-response zero knowledge proof protocols Authentication Data source authentication (message authentication):
More informationBackground. Network Security - Certificates, Keys and Signatures - Digital Signatures. Digital Signatures. Dr. John Keeney 3BA33
Background Network Security - Certificates, Keys and Signatures - Dr. John Keeney 3BA33 Slides Sources: Karl Quinn, Donal O Mahoney, Henric Johnson, Charlie Kaufman, Wikipedia, Google, Brian Raiter. Recommended
More information10 More on Signatures and the Public-Key Infrastructure
Leo Reyzin. Notes for BU CAS CS 538. 1 10 More on Signatures and the Public-Key Infrastructure 10.1 Random Oracle Model and Full-Domain-Hash Very efficient stateless signatures seem to come from the so-called
More informationCryptography (Overview)
Cryptography (Overview) Some history Caesar cipher, rot13 substitution ciphers, etc. Enigma (Turing) Modern secret key cryptography DES, AES Public key cryptography RSA, digital signatures Cryptography
More informationPublic-Key Encryption, Key Exchange, Digital Signatures CMSC 23200/33250, Autumn 2018, Lecture 7
Public-Key Encryption, Key Exchange, Digital Signatures CMSC 23200/33250, Autumn 2018, Lecture 7 David Cash University of Chicago Plan 1. Security of RSA 2. Key Exchange, Diffie-Hellman 3. Begin digital
More informationLecture 3.4: Public Key Cryptography IV
Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2012 Nitesh Saxena Course Administration HW1 submitted Trouble with BB Trying to check with BB support HW1 solution will be posted very soon
More informationCryptography V: Digital Signatures
Cryptography V: Digital Signatures Computer Security Lecture 12 David Aspinall School of Informatics University of Edinburgh 19th February 2009 Outline Basics Constructing signature schemes Security of
More informationCSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography
CSCI 454/554 Computer and Network Security Topic 5.2 Public Key Cryptography Outline 1. Introduction 2. RSA 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard 2 Introduction Public Key Cryptography
More informationApplied Cryptography and Computer Security CSE 664 Spring 2018
Applied Cryptography and Computer Security Lecture 13: Public-Key Cryptography and RSA Department of Computer Science and Engineering University at Buffalo 1 Public-Key Cryptography What we already know
More informationOutline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA
CSCI 454/554 Computer and Network Security Topic 5.2 Public Key Cryptography 1. Introduction 2. RSA Outline 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard 2 Introduction Public Key Cryptography
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 11: Public Key Infrastructure Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline Public key infrastructure Certificates Trust
More informationDigital Signatures. Sven Laur University of Tartu
Digital Signatures Sven Laur swen@math.ut.ee University of Tartu Formal Syntax Digital signature scheme pk (sk, pk) Gen (m, s) (m,s) m M 0 s Sign sk (m) Ver pk (m, s)? = 1 To establish electronic identity,
More informationOutline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)
Outline AIT 682: Network and Systems Security 1. Introduction 2. RSA 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard Topic 5.2 Public Key Cryptography Instructor: Dr. Kun Sun 2 Public Key
More informationLinkable Message Tagging Solving the Key Distribution Problem of Signature Schemes Felix Günther
Linkable Message Tagging Solving the Key Distribution Problem of Signature Schemes Felix Günther Technische Universität Darmstadt Germany Bertram Poettering Ruhr-Universität Bochum Germany June 30, 2015
More informationData Security and Privacy. Topic 14: Authentication and Key Establishment
Data Security and Privacy Topic 14: Authentication and Key Establishment 1 Announcements Mid-term Exam Tuesday March 6, during class 2 Need for Key Establishment Encrypt K (M) C = Encrypt K (M) M = Decrypt
More informationPart VI. Public-key cryptography
Part VI Public-key cryptography Drawbacks with symmetric-key cryptography Symmetric-key cryptography: Communicating parties a priori share some secret information. Secure Channel Alice Unsecured Channel
More informationTen Risks of PKI : What You re not Being Told about Public Key Infrastructure By Carl Ellison and Bruce Schneier
Presented by Joshua Schiffman & Archana Viswanath Ten Risks of PKI : What You re not Being Told about Public Key Infrastructure By Carl Ellison and Bruce Schneier Trust Models Rooted Trust Model! In a
More informationCryptography III. Public-Key Cryptography Digital Signatures. 2/1/18 Cryptography III
Cryptography III Public-Key Cryptography Digital Signatures 2/1/18 Cryptography III 1 Public Key Cryptography 2/1/18 Cryptography III 2 Key pair Public key: shared with everyone Secret key: kept secret,
More informationT Cryptography and Data Security
T-79.4501 Cryptography and Data Security Lecture 10: 10.1 Random number generation 10.2 Key management - Distribution of symmetric keys - Management of public keys Stallings: Ch 7.4; 7.3; 10.1 1 The Use
More informationOverview. SSL Cryptography Overview CHAPTER 1
CHAPTER 1 Secure Sockets Layer (SSL) is an application-level protocol that provides encryption technology for the Internet. SSL ensures the secure transmission of data between a client and a server through
More informationDigital Certificates Demystified
Digital Certificates Demystified Ross Cooper, CISSP IBM Corporation RACF/PKI Development Poughkeepsie, NY Email: rdc@us.ibm.com August 9 th, 2012 Session 11622 Agenda Cryptography What are Digital Certificates
More informationKurose & Ross, Chapters (5 th ed.)
Kurose & Ross, Chapters 8.2-8.3 (5 th ed.) Slides adapted from: J. Kurose & K. Ross \ Computer Networking: A Top Down Approach (5 th ed.) Addison-Wesley, April 2009. Copyright 1996-2010, J.F Kurose and
More informationPublic Key Algorithms
CSE597B: Special Topics in Network and Systems Security Public Key Cryptography Instructor: Sencun Zhu The Pennsylvania State University Public Key Algorithms Public key algorithms RSA: encryption and
More informationKey Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature
Key Management Digital signatures: classical and public key Classic and Public Key exchange 1 Handwritten Signature Used everyday in a letter, on a check, sign a contract A signature on a signed paper
More informationThe most important development from the work on public-key cryptography is the digital signature. Message authentication protects two parties who
1 The most important development from the work on public-key cryptography is the digital signature. Message authentication protects two parties who exchange messages from any third party. However, it does
More informationDistributed ID-based Signature Using Tamper-Resistant Module
, pp.13-18 http://dx.doi.org/10.14257/astl.2013.29.03 Distributed ID-based Signature Using Tamper-Resistant Module Shinsaku Kiyomoto, Tsukasa Ishiguro, and Yutaka Miyake KDDI R & D Laboratories Inc., 2-1-15,
More informationLecture 15 PKI & Authenticated Key Exchange. COSC-260 Codes and Ciphers Adam O Neill Adapted from
Lecture 15 PKI & Authenticated Key Exchange COSC-260 Codes and Ciphers Adam O Neill Adapted from http://cseweb.ucsd.edu/~mihir/cse107/ Today We will see how signatures are used to create public-key infrastructures
More informationCryptography: More Primitives
Design and Analysis of Algorithms May 8, 2015 Massachusetts Institute of Technology 6.046J/18.410J Profs. Erik Demaine, Srini Devadas and Nancy Lynch Recitation 11 Cryptography: More Primitives 1 Digital
More informationCryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1
Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography CS555 Spring 2012/Topic 16 1 Outline and Readings Outline Private key management between two parties Key management
More informationIntroduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell
Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell 1 Cryptography Merriam-Webster Online Dictionary: 1. secret writing 2. the enciphering and deciphering
More informationICS 180 May 4th, Guest Lecturer: Einar Mykletun
ICS 180 May 4th, 2004 Guest Lecturer: Einar Mykletun 1 Symmetric Key Crypto 2 Symmetric Key Two users who wish to communicate share a secret key Properties High encryption speed Limited applications: encryption
More informationOn the security of a certificateless signature scheme in the standard model
On the security of a certificateless signature scheme in the standard model Lin Cheng, Qiaoyan Wen, Zhengping Jin, Hua Zhang State Key Laboratory of Networking and Switch Technology, Beijing University
More informationAPPLICATIONS AND PROTOCOLS. Mihir Bellare UCSD 1
APPLICATIONS AND PROTOCOLS Mihir Bellare UCSD 1 Some applications and protocols Internet Casino Commitment Shared coin flips Threshold cryptography Forward security Program obfuscation Zero-knowledge Certified
More informationUsing Cryptography CMSC 414. October 16, 2017
Using Cryptography CMSC 414 October 16, 2017 Digital Certificates Recall: K pub = (n, e) This is an RSA public key How do we know who this is for? Need to bind identity to a public key We can do this using
More informationCT30A8800 Secured communications
CT30A8800 Secured communications Pekka Jäppinen October 31, 2007 Pekka Jäppinen, Lappeenranta University of Technology: October 31, 2007 Secured Communications: Key exchange Schneier, Applied Cryptography:
More informationCryptography Lecture 4. Attacks against Block Ciphers Introduction to Public Key Cryptography. November 14, / 39
Cryptography 2017 Lecture 4 Attacks against Block Ciphers Introduction to Public Key Cryptography November 14, 2017 1 / 39 What have seen? What are we discussing today? What is coming later? Lecture 3
More informationComputer Security Course. Public Key Crypto. Slides credit: Dan Boneh
Computer Security Course. Dawn Song Public Key Crypto Slides credit: Dan Boneh Administra>ve Issues Security is a fast- changing field We cover a broad spectrum of areas in computer security Hence, there
More informationL13. Reviews. Rocky K. C. Chang, April 10, 2015
L13. Reviews Rocky K. C. Chang, April 10, 2015 1 Foci of this course Understand the 3 fundamental cryptographic functions and how they are used in network security. Understand the main elements in securing
More informationPaper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage
1 Announcements Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage 2 Recap and Overview Previous lecture: Symmetric key
More informationIntroduction to Public-Key Cryptography
Introduction to Public-Key Cryptography Nadia Heninger University of Pennsylvania June 11, 2018 We stand today on the brink of a revolution in cryptography. Diffie and Hellman, 1976 Symmetric cryptography
More informationSpring 2010: CS419 Computer Security
Spring 2010: CS419 Computer Security Vinod Ganapathy Lecture 7 Topic: Key exchange protocols Material: Class handout (lecture7_handout.pdf) Chapter 2 in Anderson's book. Today s agenda Key exchange basics
More informationMTAT Cryptology II. Entity Authentication. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Entity Authentication Sven Laur University of Tartu Formal Syntax Entity authentication pk (sk, pk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) Is it Charlie?
More informationCSC/ECE 774 Advanced Network Security
Computer Science CSC/ECE 774 Advanced Network Security Topic 2. Network Security Primitives CSC/ECE 774 Dr. Peng Ning 1 Outline Absolute basics Encryption/Decryption; Digital signatures; D-H key exchange;
More informationStudy Guide for the Final Exam
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Handout #22 Professor M. J. Fischer April 30, 2005 1 Exam Coverage Study Guide for the Final Exam The final
More informationCryptography and Network Security. Sixth Edition by William Stallings
Cryptography and Network Security Sixth Edition by William Stallings Chapter 13 Digital Signatures To guard against the baneful influence exerted by strangers is therefore an elementary dictate of savage
More informationDelegatable Functional Signatures
Delegatable Functional Signatures Michael Backes MPI-SWS Saarland University Germany Sebastian Meiser Saarland University Germany October 10, 2013 Dominique Schröder Saarland University Germany Abstract
More informationEncryption. INST 346, Section 0201 April 3, 2018
Encryption INST 346, Section 0201 April 3, 2018 Goals for Today Symmetric Key Encryption Public Key Encryption Certificate Authorities Secure Sockets Layer Simple encryption scheme substitution cipher:
More informationSecure Multiparty Computation
CS573 Data Privacy and Security Secure Multiparty Computation Problem and security definitions Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation
More informationCS408 Cryptography & Internet Security
CS408 Cryptography & Internet Security Lectures 16, 17: Security of RSA El Gamal Cryptosystem Announcement Final exam will be on May 11, 2015 between 11:30am 2:00pm in FMH 319 http://www.njit.edu/registrar/exams/finalexams.php
More informationSecure digital certificates with a blockchain protocol
Secure digital certificates with a blockchain protocol Federico Pintore 1 Trento, 10 th February 2017 1 University of Trento Federico Pintore Blockchain and innovative applications Trento, 10 th February
More information1 Identification protocols
ISA 562: Information Security, Theory and Practice Lecture 4 1 Identification protocols Now that we know how to authenticate messages using MACs, a natural question is, how can we use MACs to prove that
More information1 Defining Message authentication
ISA 562: Information Security, Theory and Practice Lecture 3 1 Defining Message authentication 1.1 Defining MAC schemes In the last lecture we saw that, even if our data is encrypted, a clever adversary
More informationCS Computer Networks 1: Authentication
CS 3251- Computer Networks 1: Authentication Professor Patrick Traynor 4/14/11 Lecture 25 Announcements Homework 3 is due next class. Submit via T-Square or in person. Project 3 has been graded. Scores
More informationApplied cryptography
Applied cryptography Electronic Cash Andreas Hülsing 29 November 2016 1 / 61 Classical Cash - Life Cycle Mint produces money (coins / bank notes) Sent to bank User withdraws money (reduces account balance)
More informationCS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong
CS573 Data Privacy and Security Cryptographic Primitives and Secure Multiparty Computation Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation
More informationGarantía y Seguridad en Sistemas y Redes
Garantía y Seguridad en Sistemas y Redes Tema 2. Cryptographic Tools Esteban Stafford Departamento de Ingeniería Informá2ca y Electrónica Este tema se publica bajo Licencia: Crea2ve Commons BY- NC- SA
More informationCSC 474/574 Information Systems Security
CSC 474/574 Information Systems Security Topic 2.5 Public Key Algorithms CSC 474/574 Dr. Peng Ning 1 Public Key Algorithms Public key algorithms covered in this class RSA: encryption and digital signature
More informationInformation Security CS 526
Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication Topic 14: Secure Communication 1 Readings for This Lecture On Wikipedia Needham-Schroeder protocol (only the symmetric
More informationForward-Secure Signatures for Unbounded Time Periods in Mobile Computing Applications
208 Forward-Secure Signatures for Unbounded Time Periods in Mobile Computing Applications N..Sunitha B.B.Amberker Prashant Koulgi Department of Computer Science Department of Computer Science Department
More informationPKI Services. Text PKI Definition. PKI Definition #1. Public Key Infrastructure. What Does A PKI Do? Public Key Infrastructures
Public Key Infrastructures Public Key Infrastructure Definition and Description Functions Components Certificates 1 2 PKI Services Security Between Strangers Encryption Integrity Non-repudiation Key establishment
More informationSSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1
SSL/TLS & 3D Secure CS 470 Introduction to Applied Cryptography Ali Aydın Selçuk CS470, A.A.Selçuk SSL/TLS & 3DSec 1 SSLv2 Brief History of SSL/TLS Released in 1995 with Netscape 1.1 Key generation algorithm
More informationOn the Security of a Certificateless Public-Key Encryption
On the Security of a Certificateless Public-Key Encryption Zhenfeng Zhang, Dengguo Feng State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences, Beijing 100080,
More informationNetwork Security. Chapter 4 Public Key Cryptography. Public Key Cryptography (4) Public Key Cryptography
Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Encryption/Decryption using Public Key Cryptography Network Security Chapter 4 Public Key Cryptography However,
More informationDigital Signatures Do Not Guarantee Exclusive Ownership
Digital Signatures Do Not Guarantee Exclusive Ownership Thomas Pornin and Julien P. Stern Cryptolog International, Paris, France thomas.pornin@cryptolog.com and julien.stern@cryptolog.com Abstract. Digital
More informationTopics. Dramatis Personae Cathy, the Computer, trusted 3 rd party. Cryptographic Protocols
Cryptographic Protocols Topics 1. Dramatis Personae and Notation 2. Session and Interchange Keys 3. Key Exchange 4. Key Generation 5. Cryptographic Key Infrastructure 6. Storing and Revoking Keys 7. Digital
More informationLecture 14 Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze. 1 A Note on Adaptively-Secure NIZK. 2 The Random Oracle Model
CMSC 858K Advanced Topics in Cryptography March 11, 2004 Lecturer: Jonathan Katz Lecture 14 Scribe(s): Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze 1 A Note on Adaptively-Secure NIZK A close look
More informationCryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea
Cryptography SSL/TLS Network Security Workshop 3-5 October 2017 Port Moresby, Papua New Guinea 1 History Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent
More informationMessage Authentication ( 消息认证 )
Message Authentication ( 消息认证 ) Sheng Zhong Yuan Zhang Computer Science and Technology Department Nanjing University 2017 Fall Sheng Zhong, Yuan Zhang (CS@NJU) Message Authentication ( 消息认证 ) 2017 Fall
More informationPublic Key Algorithms
Public Key Algorithms 1 Public Key Algorithms It is necessary to know some number theory to really understand how and why public key algorithms work Most of the public key algorithms are based on modular
More informationMTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems
MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov October 31, 2005 Abstract Standard security assumptions (IND-CPA, IND- CCA) are explained. A number of cryptosystems
More informationIntroduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms
Introduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms Egemen K. Çetinkaya Egemen K. Çetinkaya Department of Electrical & Computer Engineering Missouri University of
More informationCSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L
CS 3461/5461: Introduction to Computer Networking and Internet Technologies Network Security Study: 21.1 21.5 Kannan Srinivasan 11-27-2012 Security Attacks, Services and Mechanisms Security Attack: Any
More informationCSC 5930/9010 Modern Cryptography: Public Key Cryptography
CSC 5930/9010 Modern Cryptography: Public Key Cryptography Professor Henry Carter Fall 2018 Recap Number theory provides useful tools for manipulating integers and primes modulo a large value Abstract
More informationCSC 482/582: Computer Security. Security Protocols
Security Protocols Topics 1. Basic Concepts of Cryptography 2. Security Protocols 3. Authentication Protocols 4. Key Exchange Protocols 5. Kerberos 6. Public Key Infrastructure Encryption and Decryption
More information