Simple Password-Hardened Encryption Services
|
|
- Ada Vanessa Rogers
- 5 years ago
- Views:
Transcription
1 Simple Password-Hardened Encryption Services Russell W. F. Lai 1, Christoph Egger 1, Manuel Reinert 2, Sherman S. M. Chow 3, Matteo Maffei 4, and Dominique Schröder 1 1 Friedrich-Alexander University Erlangen-Nuremberg 2 Saarland University 3 Chinese University of Hong Kong 4 TU Wien
2 Overview
3 One-Package Solution for Data Security Password-Hardened Encryption What it does? To protect sensitive client data stored in a server with password (or biometric / two-factor / etc) authentication even after the server is completely compromised with minimal help from an external rate-limiter. Simple Password-Hardened Encryption Services Russel W. F. Lai 2/24
4 One-Package Solution for Data Security Password-Hardened Encryption What it does? To protect sensitive client data stored in a server with password (or biometric / two-factor / etc) authentication even after the server is completely compromised with minimal help from an external rate-limiter. Security Features Eliminate offline (e.g., dictionary) attacks Rate-limit online (e.g., password guessing) attacks Obliviousness (Rate-Limiter learns nothing) Soundness (Rate-Limiter cannot cheat) Support key-rotation (required in PCI DSS) PCI DSS: Payment Card Industry Data Security Standard Simple Password-Hardened Encryption Services Russel W. F. Lai 2/24
5 One-Package Solution for Data Security Password-Hardened Encryption What it does? To protect sensitive client data stored in a server with password (or biometric / two-factor / etc) authentication even after the server is completely compromised with minimal help from an external rate-limiter. Security Features Eliminate offline (e.g., dictionary) attacks Rate-limit online (e.g., password guessing) attacks Obliviousness (Rate-Limiter learns nothing) Soundness (Rate-Limiter cannot cheat) Support key-rotation (required in PCI DSS) Practicality Simple and easy to implement Easy to convert from existing systems 250 logins per core per second PCI DSS: Payment Card Industry Data Security Standard Simple Password-Hardened Encryption Services Russel W. F. Lai 2/24
6 Motivation
7 Password Authenticated Data Retrieval Client C Username Alice Password Server S Username Alice Hash h Salt aqzcsp Data Top Secret Hi! I am Alice. My password is h? = Hash(123456, aqzcsp) OK! Here is your data Top Secret! Simple Password-Hardened Encryption Services Russel W. F. Lai 4/24
8 Password Authenticated Encrypted Data Retrieval Client C Username Alice Password Server S Username Alice Hash h Salt aqzcsp Encrypted Data c Hi! I am Alice. My password is if h? = Hash(123456, aqzcsp) then Top Secret Dec(sk S, c) OK! Here is your data Top Secret! Simple Password-Hardened Encryption Services Russel W. F. Lai 4/24
9 Issues and Solutions Steal Hash Database Offline Dictionary Attack Log in using Stolen Password Obtain Client Data Complete Compromise Decrypt using Stolen Server Key Simple Password-Hardened Encryption Services Russel W. F. Lai 5/24
10 Issues and Solutions Steal Hash Database Offline Dictionary Attack Log in using Stolen Password Password-Hardening Facebook, PYTHIA 15], 16], PHOENIX 17] Obtain Client Data Complete Compromise Decrypt using Stolen Server Key Simple Password-Hardened Encryption Services Russel W. F. Lai 5/24
11 Issues and Solutions Steal Hash Database Offline Dictionary Attack Log in using Stolen Password Password-Hardening Facebook, PYTHIA 15], 16], PHOENIX 17] Obtain Client Data Complete Compromise Decrypt using Stolen Server Key Password-Hardened Encryption [This Work] Simple Password-Hardened Encryption Services Russel W. F. Lai 5/24
12 Roadmap PHOENIX 17] Simplify Simplified PHOENIX Upgrade: Encryption Functionality Stronger Soundness Password Hardened Encryption Simple Password-Hardened Encryption Services Russel W. F. Lai 6/24
13 Password-Hardening
14 Ingredient: A Key-Homomorphic Pseudorandom Function (PRF) Let G be a group of prime order q (written multiplicatively) where Decisional Diffie Hellman (DDH) is hard. Let H : {0, 1} G be a random oracle. The function PRF : Z q {0, 1} G (key, message) H(message) key is pseudorandom under the DDH assumption. PRF is key-homomorphic: H(message) key+key = H(message) key H(message) key Simple Password-Hardened Encryption Services Russel W. F. Lai 8/24
15 Simplified PHOENIX 17] Registration Client C Server S Rate-Limiter R Register, Alice, aqzcsp $ Salts Register OjQZEe $ Salts y, OjQZEe y H(OjQZEe) sk R h H(aqZcSP, ) sks y Store (Alice, h, aqzcsp, OjQZEe) Simple Password-Hardened Encryption Services Russel W. F. Lai 9/24
16 Simplified PHOENIX 17] Login Client C Server S Rate-Limiter R Login, Alice, Retrieve (Alice, h, aqzcsp, OjQZEe) y h/h(aqzcsp, ) sk S Validate, y, OjQZEe Correct! Here is my proof! y? = H(OjQZEe) sk R OK! Come in! Simple Password-Hardened Encryption Services Russel W. F. Lai 10/24
17 Simplified PHOENIX 17] Key-Rotation h = H(aqZcSP, ) sks H(OjQZEe) sk R Server S Key sk S Rate-Limiter R Key sk R Server S Key sk S = α sk S h = h α H(OjQZEe) β = H(aqZcSP, ) α sk S H(OjQZEe) α sk R+β = H(aqZcSP, ) sk S H(OjQZEe) sk R Rate-Limiter R Key sk R = α sk R + β Simple Password-Hardened Encryption Services Russel W. F. Lai 11/24
18 Simplified PHOENIX 17] What the rate-limiter does? Equality Check Functionality: Check equality of pseudorandom function values. Rate-limiting Policy: Refuse to respond if OjQZEe appears too frequently. Rate-Limiter R y? = H(OjQZEe) sk R Simple Password-Hardened Encryption Services Russel W. F. Lai 12/24
19 Simplified PHOENIX 17] What the rate-limiter does? Equality Check Functionality: Check equality of pseudorandom function values. Rate-limiting Policy: Refuse to respond if OjQZEe appears too frequently. Rate-Limiter R y? = H(OjQZEe) sk R Idea: Upgrade to Password-Hardened Encryption Conditional Decryption Functionality: If Check equality of pseudorandom function values = True then Partially decrypt ciphertext. Simple Password-Hardened Encryption Services Russel W. F. Lai 12/24
20 Password-Hardened Encryption
21 Password-Hardened Encryption Registration Client C Server S Rate-Limiter R Register, Alice, , Top Secret aqzcsp $ Salts Register K $ AES Keys OjQZEe $ Salts y 0 H 0 (OjQZEe) sk R y 0, y 1 y1 H 1 (OjQZEe) sk R h 0 H 0 (aqzcsp, ) sks y 0 h 1 H 1 (aqzcsp, ) sks y 1 K sk S c AES.Enc(K, Top Secret) Store (Alice, (h 0, h 1, c), aqzcsp, OjQZEe) Simple Password-Hardened Encryption Services Russel W. F. Lai 14/24
22 Password-Hardened Encryption Login Client C Server S Rate-Limiter R Login, Alice, Retrieve (Alice, (h 0, h 1, c), aqzcsp, OjQZEe) y 0 h 0 /H 0 (aqzcsp, ) sk S Validate, y 0, OjQZEe z h 1 /H 1 (aqzcsp, ) sk S if y 0 = H 0 (OjQZEe) skr then Correct! Here is y 1 and my proof! y 1 H 1 (OjQZEe) sk R K (z/y 1 ) 1 sk S Top Secret Top Secret AES.Dec(K, c) Simple Password-Hardened Encryption Services Russel W. F. Lai 15/24
23 Password-Hardened Encryption Security Features Against Compromised Server Eliminate Offline Attacks Password Hashes are masked by R s PRF Compromised S must communicate with R Rate-Limit Online Attacks (per Client) R records the salt (e.g., OjQZEe) in each login request R refuses to respond if a client (a salt) tries to log in too frequently Simple Password-Hardened Encryption Services Russel W. F. Lai 16/24
24 Password-Hardened Encryption Security Features Against Compromised Rate-Limiter Obliviousness Registration and login requests are completely independent of clients passwords and data R learns nothing about clients passwords and data Soundness R must prove for both valid and invalid requests Proactive Security Key-Rotation e.g., periodically and when one party is (suspected to be) compromised Due to the key-homomorphic PRF Simple Password-Hardened Encryption Services Russel W. F. Lai 17/24
25 Performance Evaluation
26 Setup 10 Core Intel Xeon E CPU (both S and R) Charm crypto prototyping library Falcon Web Framework HTTPS with keep-alive Comparison (Rate-Limiter Throughput) 4x of PYTHIA [ECSJR@USENIX 15] 1.5x of PHOENIX [LESC@USENIX 17] (Those are password-hardening without encryption!) Simple Password-Hardened Encryption Services Russel W. F. Lai 19/24
27 Performance Graphs 1,500 Encrypt Decrypt-Success Decrypt-Fail 3,000 2,500 2,000 Encrypt Decrypt-Success Decrypt-Fail req/s 1,000 req/s 1, , core 2-core 4-core 8-core 1-core 2-core 4-core 8-core Figure: Server throughput in req/s Figure: Rate-Limiter throughput in req/s Simple Password-Hardened Encryption Services Russel W. F. Lai 20/24
28 Conclusion Simple Password-Hardened Encryption Services One-Package Solution for Data Security Russell W. F. Lai Friedrich-Alexander University Erlangen-Nuremberg
29 Questions and Answers
30 Why...? Why is it difficult to compromise both S and R? Compromising two parties require twice the effort. We assume that R is built and maintained by security experts, so it is difficult to compromise. Simple Password-Hardened Encryption Services Russel W. F. Lai 23/24
31 Why not...? Why not password-authenticated key-exchange (PAKE)? Different functionality. In PAKE, both parties know the password, and a fresh key is derived every time. Why not password-protected secret-sharing (PPSS)? No existing scheme supports efficient key-rotation. PPSS is too strong: The user in PPSS (the counterpart of the server in PHE) has no secret key. Simple Password-Hardened Encryption Services Russel W. F. Lai 24/24
Phoenix: Rebirth of a Cryptographic Password-Hardening Service
Phoenix: Rebirth of a Cryptographic Password-Hardening Service Russell W.F. Lai 1,2 Christoph Egger 1 Dominique Schro der 1 Sherman S.M. Chow 2 1 Friedrich-Alexander-Universita t Erlangen-Nu rnberg University
More informationPhoenix: Rebirth of a Cryptographic Password-Hardening Service
Phoenix: Rebirth of a Cryptographic Password-Hardening Service Russell W. F. Lai, Friedrich-Alexander-University Erlangen-Nürnberg, Chinese University of Hong Kong; Christoph Egger and Dominique Schröder,
More informationSimple Password-Hardened Encryption Services
Simple Password-Hardened Encryption Services Russell W. F. Lai 1, Christoph Egger 1, Manuel Reinert 2, Sherman S. M. Chow 3, Matteo Maffei 4, and Dominique Schröder 1 1 Friedrich-Alexander University Erlangen-Nuremberg
More informationStrong Password Protocols
Strong Password Protocols Strong Password Protocols Password authentication over a network Transmit password in the clear. Open to password sniffing. Open to impersonation of server. Do Diffie-Hellman
More informationIND-CCA2 secure cryptosystems, Dan Bogdanov
MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov University of Tartu db@ut.ee 1 Overview Notion of indistinguishability The Cramer-Shoup cryptosystem Newer results
More informationAuthentication. Strong Password Protocol. IT352 Network Security Najwa AlGhamdi
Authentication Strong Password Protocol 1 Strong Password Protocol Scenario : Alice uses any workstation to log to the server B, using a password to authenticate her self. Various way to do that? Use Ur
More informationDevice-Enhanced Password Protocols with Optimal Online-Offline Protection
Device-Enhanced Password Protocols with Optimal Online-Offline Protection Stanislaw Jarecki Hugo Krawczyk Maliheh Shirvanian Nitesh Saxena March 29, 2017 Abstract We introduce a setting that we call Device-Enhanced
More informationPassword. authentication through passwords
Password authentication through passwords Human beings Short keys; possibly used to generate longer keys Dictionary attack: adversary tries more common keys (easy with a large set of users) Trojan horse
More informationIntroduction to Cryptography Lecture 7
Introduction to Cryptography Lecture 7 El Gamal Encryption RSA Encryption Benny Pinkas page 1 1 Public key encryption Alice publishes a public key PK Alice. Alice has a secret key SK Alice. Anyone knowing
More informationCSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong, Spring and 6 February 2018
CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong, Spring 2018 5 and 6 February 2018 Identification schemes are mechanisms for Alice to prove her identity to Bob They comprise a setup
More informationICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification
ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification Hossen Asiful Mustafa Introduction Entity Authentication is a technique designed to let one party prove the identity of another
More information1 Identification protocols
ISA 562: Information Security, Theory and Practice Lecture 4 1 Identification protocols Now that we know how to authenticate messages using MACs, a natural question is, how can we use MACs to prove that
More informationPassword Authenticated Key Exchange by Juggling
A key exchange protocol without PKI Feng Hao Centre for Computational Science University College London Security Protocols Workshop 08 Outline 1 Introduction 2 Related work 3 Our Solution 4 Evaluation
More informationIdentification Schemes
Identification Schemes Lecture Outline Identification schemes passwords one-time passwords challenge-response zero knowledge proof protocols Authentication Data source authentication (message authentication):
More informationCS 395T. Formal Model for Secure Key Exchange
CS 395T Formal Model for Secure Key Exchange Main Idea: Compositionality Protocols don t run in a vacuum Security protocols are typically used as building blocks in a larger secure system For example,
More informationEncryption from the Diffie-Hellman assumption. Eike Kiltz
Encryption from the Diffie-Hellman assumption Eike Kiltz Elliptic curve public-key crypto Key-agreement Signatures Encryption Diffie-Hellman 76 passive security ElGamal 84 passive security Hybrid DH (ECDH)
More informationOne-Time-Password-Authenticated Key Exchange
One-Time-Password-Authenticated Key Exchange Kenneth G. Paterson 1 and Douglas Stebila 2 1 Information Security Group Royal Holloway, University of London, Egham, Surrey, UK 2 Information Security Institute
More informationAuth. Key Exchange. Dan Boneh
Auth. Key Exchange Review: key exchange Alice and want to generate a secret key Saw key exchange secure against eavesdropping Alice k eavesdropper?? k This lecture: Authenticated Key Exchange (AKE) key
More informationCrypto-systems all around us ATM machines Remote logins using SSH Web browsers (https invokes Secure Socket Layer (SSL))
Introduction (Mihir Bellare Text/Notes: http://cseweb.ucsd.edu/users/mihir/cse207/) Cryptography provides: Data Privacy Data Integrity and Authenticity Crypto-systems all around us ATM machines Remote
More informationLecture 8: Cryptography in the presence of local/public randomness
Randomness in Cryptography Febuary 25, 2013 Lecture 8: Cryptography in the presence of local/public randomness Lecturer: Yevgeniy Dodis Scribe: Hamidreza Jahanjou So far we have only considered weak randomness
More informationProving who you are. Passwords and TLS
Proving who you are Passwords and TLS Basic, fundamental problem Client ( user ) How do you prove to someone that you are who you claim to be? Any system with access control must solve this Users and servers
More informationID protocols. Overview. Dan Boneh
ID protocols Overview The Setup sk Alg. G vk vk either public or secret User P (prover) Server V (verifier) no key exchange yes/no Applications: physical world Physical locks: (friend-or-foe) Wireless
More informationRobust EC-PAKA Protocol for Wireless Mobile Networks
International Journal of Mathematical Analysis Vol. 8, 2014, no. 51, 2531-2537 HIKARI Ltd, www.m-hikari.com http://dx.doi.org/10.12988/ijma.2014.410298 Robust EC-PAKA Protocol for Wireless Mobile Networks
More informationDr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010
CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Security Handshake Pitfalls Login only Mutual
More informationPass, No Record: An Android Password Manager
Pass, No Record: An Android Password Manager Alex Konradi, Samuel Yeom December 4, 2015 Abstract Pass, No Record is an Android password manager that allows users to securely retrieve passwords from a server
More informationPYTHIA SERVICE BY VIRGIL SECURITY WHITE PAPER
PYTHIA SERVICE WHITEPAPER BY VIRGIL SECURITY WHITE PAPER May 21, 2018 CONTENTS Introduction 2 How does Pythia solve these problems? 3 Are there any other solutions? 4 What is Pythia? 4 How does it work?
More informationDistributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018
Distributed Systems 25. Authentication Paul Krzyzanowski Rutgers University Fall 2018 2018 Paul Krzyzanowski 1 Authentication For a user (or process): Establish & verify identity Then decide whether to
More informationKey Establishment and Authentication Protocols EECE 412
Key Establishment and Authentication Protocols EECE 412 1 where we are Protection Authorization Accountability Availability Access Control Data Protection Audit Non- Repudiation Authentication Cryptography
More informationCS November 2018
Authentication Distributed Systems 25. Authentication For a user (or process): Establish & verify identity Then decide whether to allow access to resources (= authorization) Paul Krzyzanowski Rutgers University
More informationMTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems
MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov October 31, 2005 Abstract Standard security assumptions (IND-CPA, IND- CCA) are explained. A number of cryptosystems
More informationCOMPOSABLE AND ROBUST OUTSOURCED STORAGE
SESSION ID: CRYP-R14 COMPOSABLE AND ROBUST OUTSOURCED STORAGE Christian Badertscher and Ueli Maurer ETH Zurich, Switzerland Motivation Server/Database Clients Write Read block 2 Outsourced Storage: Security
More informationPriced Oblivious Transfer: How to Sell Digital Goods
Priced Oblivious Transfer: How to Sell Digital Goods Bill Aiello, Yuval Ishai, and Omer Reingold Abstract. We consider the question of protecting the privacy of customers buying digital goods. More specifically,
More informationCryptographic Systems
CPSC 426/526 Cryptographic Systems Ennan Zhai Computer Science Department Yale University Recall: Lec-10 In lec-10, we learned: - Consistency models - Two-phase commit - Consensus - Paxos Lecture Roadmap
More informationDISTRIBUTED PASSWORD AUTHENTICATION
DISTRIBUTED PASSWORD AUTHENTICATION Evan Liu, Brendon Go, Kenneth Xu Department of Computer Science Stanford University Stanford, CA 94305, USA {evanliu, bgo, kenxu95}@cs.stanford.edu ABSTRACT Traditional
More informationCryptography. Lecture 12. Arpita Patra
Cryptography Lecture 12 Arpita Patra Digital Signatures q In PK setting, privacy is provided by PKE q Integrity/authenticity is provided by digital signatures (counterpart of MACs in PK world) q Definition:
More informationVTBPEKE: Verifier-based Tw o-basis Password Exponenti al Key Exchange
VTBPEKE: Verifier-based Tw o-basis Password Exponenti al Key Exchange IETF 101, London March, 2018 Guilin Wang (wang.guilin@huawei.com) www.huawei.com Content PAKE: Terminology, Challenges, Existing Solutions
More informationCryptographic Concepts
Outline Identify the different types of cryptography Learn about current cryptographic methods Chapter #23: Cryptography Understand how cryptography is applied for security Given a scenario, utilize general
More informationAlice in Cyber world
Alice in Cyber world Protecting Secrets in The Connected World K.S.Sreedharan Director IT Zoho Cast Alice Claude Eve Bob Govan Story So Far Symmetric Key Asymmetric Key Twist in the Tale Claude Convenience
More informationCS408 Cryptography & Internet Security
CS408 Cryptography & Internet Security Lectures 16, 17: Security of RSA El Gamal Cryptosystem Announcement Final exam will be on May 11, 2015 between 11:30am 2:00pm in FMH 319 http://www.njit.edu/registrar/exams/finalexams.php
More informationIntroduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell
Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell 1 Cryptography Merriam-Webster Online Dictionary: 1. secret writing 2. the enciphering and deciphering
More informationThe Challenges of Distributing Distributed Cryptography. Ari Juels Chief Scientist, RSA
The Challenges of Distributing Distributed Cryptography Ari Juels Chief Scientist, RSA What is this new and mysterious technology? Hint: It s 20+ years old. R. Ostrovsky and M. Yung. How to withstand
More informationOn the Security of a Certificateless Public-Key Encryption
On the Security of a Certificateless Public-Key Encryption Zhenfeng Zhang, Dengguo Feng State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences, Beijing 100080,
More informationIntroduction to Cryptography Lecture 7
Introduction to Cryptography Lecture 7 Public-Key Encryption: El-Gamal, RSA Benny Pinkas page 1 1 Public key encryption Alice publishes a public key PK Alice. Alice has a secret key SK Alice. Anyone knowing
More informationDevice-Enhanced Password Protocols with Optimal Online-Offline Protection
Device-Enhanced Password Protocols with Optimal Online-Offline Protection ABSTRACT Stanislaw Jarecki University of California Irvine stasio@ics.uci.edu Maliheh Shirvanian University of Alabama at Birmingham
More informationCIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm
CIS 4360 Introduction to Computer Security Fall 2010 WITH ANSWERS in bold Name:.................................... Number:............ First Midterm Instructions This is a closed-book examination. Maximum
More informationCS 161 Computer Security
Paxson Spring 2011 CS 161 Computer Security Discussion 9 March 30, 2011 Question 1 Another Use for Hash Functions (8 min) The traditional Unix system for password authentication works more or less like
More informationStructure-Preserving Certificateless Encryption and Its Application
SESSION ID: CRYP-T06 Structure-Preserving Certificateless Encryption and Its Application Prof. Sherman S. M. Chow Department of Information Engineering Chinese University of Hong Kong, Hong Kong @ShermanChow
More informationCS Computer Networks 1: Authentication
CS 3251- Computer Networks 1: Authentication Professor Patrick Traynor 4/14/11 Lecture 25 Announcements Homework 3 is due next class. Submit via T-Square or in person. Project 3 has been graded. Scores
More informationCourse Business. Homework due today Final Exam Review on Monday, April 24 th Practice Final Exam Solutions Released Monday
Course Business Homework due today Final Exam Review on Monday, April 24 th Practice Final Exam Solutions Released Monday Final Exam on Monday, May 1 st (in this classroom) Adib will proctor I am traveling
More informationOffline dictionary attack on TCG TPM weak authorisation data, and solution
Offline dictionary attack on TCG TPM weak authorisation data, and solution Liqun Chen HP Labs, UK Mark Ryan HP Labs, UK, and University of Birmingham Abstract The Trusted Platform Module (TPM) is a hardware
More informationCryptographic Hash Functions
ECE458 Winter 2013 Cryptographic Hash Functions Dan Boneh (Mods by Vijay Ganesh) Previous Lectures: What we have covered so far in cryptography! One-time Pad! Definition of perfect security! Block and
More informationMODULE NO.28: Password Cracking
SUBJECT Paper No. and Title Module No. and Title Module Tag PAPER No. 16: Digital Forensics MODULE No. 28: Password Cracking FSC_P16_M28 TABLE OF CONTENTS 1. Learning Outcomes 2. Introduction 3. Nature
More informationLecture 18 - Chosen Ciphertext Security
Lecture 18 - Chosen Ciphertext Security Boaz Barak November 21, 2005 Public key encryption We now go back to public key encryption. As we saw in the case of private key encryption, CPA security is not
More informationIntroduction to Cryptography. Lecture 6
Introduction to Cryptography Lecture 6 Benny Pinkas page 1 1 Data Integrity, Message Authentication Risk: an active adversary might change messages exchanged between Alice and Bob M Alice M M M Bob Eve
More informationENEE 459-C Computer Security. Security protocols (continued)
ENEE 459-C Computer Security Security protocols (continued) Key Agreement: Diffie-Hellman Protocol Key agreement protocol, both A and B contribute to the key Setup: p prime and g generator of Z p *, p
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Identification Identification Identification To identify yourself, you need something the adversary doesn t have Typical factors:
More information===============================================================================
We have looked at how to use public key crypto (mixed with just the right amount of trust) for a website to authenticate itself to a user's browser. What about when Alice needs to authenticate herself
More informationHomework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.
Homework 2: Symmetric Crypto February 17, 2015 Submission policy. information: This assignment MUST be submitted as a PDF via websubmit and MUST include the following 1. List of collaborators 2. List of
More informationProceedings of the 10 th USENIX Security Symposium
USENIX Association Proceedings of the 10 th USENIX Security Symposium Washington, D.C., USA August 13 17, 2001 THE ADVANCED COMPUTING SYSTEMS ASSOCIATION 2001 by The USENIX Association All Rights Reserved
More informationRSA. Public Key CryptoSystem
RSA Public Key CryptoSystem DIFFIE AND HELLMAN (76) NEW DIRECTIONS IN CRYPTOGRAPHY Split the Bob s secret key K to two parts: K E, to be used for encrypting messages to Bob. K D, to be used for decrypting
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Identification Identification Identification To identify yourself, you need something the adversary doesn t have Typical factors:
More informationPlaintext Awareness via Key Registration
Plaintext Awareness via Key Registration Jonathan Herzog CIS, TOC, CSAIL, MIT Plaintext Awareness via Key Registration p.1/38 Context of this work Originates from work on Dolev-Yao (DY) model Symbolic
More informationInformation Security & Privacy
IS 2150 / TEL 2810 Information Security & Privacy James Joshi Associate Professor, SIS Lecture 8 Feb 24, 2015 Authentication, Identity 1 Objectives Understand/explain the issues related to, and utilize
More informationGeneric Transformation of a CCA2-Secure Public-Key Encryption Scheme to an eck-secure Key Exchange Protocol in the Standard Model
Generic Transformation of a CCA2-Secure Public-Key Encryption Scheme to an eck-secure Key Exchange Protocol in the Standard Model Janaka Alawatugoda Department of Computer Engineering University of Peradeniya,
More informationRef:
Cryptography & digital signature Dec. 2013 Ref: http://cis.poly.edu/~ross/ 2 Cryptography Overview Symmetric Key Cryptography Public Key Cryptography Message integrity and digital signatures References:
More informationCS 161 Computer Security
Popa & Wagner Spring 2016 CS 161 Computer Security Midterm 2 Print your name:, (last) (first) I am aware of the Berkeley Campus Code of Student Conduct and acknowledge that academic misconduct will be
More informationNotes for Lecture 14
COS 533: Advanced Cryptography Lecture 14 (November 6, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Fermi Ma Notes for Lecture 14 1 Applications of Pairings 1.1 Recap Consider a bilinear e
More informationSecurity of Cryptosystems
Security of Cryptosystems Sven Laur swen@math.ut.ee University of Tartu Formal Syntax Symmetric key cryptosystem m M 0 c Enc sk (m) sk Gen c sk m Dec sk (c) A randomised key generation algorithm outputs
More informationWhat is Authentication? All requests for resources have to be monitored. Every request must be authenticated and authorized to use the resource.
P1L4 Authentication What is Authentication? All requests for resources have to be monitored. Every request must be authenticated and authorized to use the resource. Authentication: Who are you? Prove it.
More informationAuthenticating People and Machines over Insecure Networks
Authenticating People and Machines over Insecure Networks EECE 571B Computer Security Konstantin Beznosov authenticating people objective Alice The Internet Bob Password= sesame Password= sesame! authenticate
More informationHY-457 Information Systems Security
HY-457 Information Systems Security Recitation 1 Panagiotis Papadopoulos(panpap@csd.uoc.gr) Kostas Solomos (solomos@csd.uoc.gr) 1 Question 1 List and briefly define categories of passive and active network
More information10/1/2015. Authentication. Outline. Authentication. Authentication Mechanisms. Authentication Mechanisms. Authentication Mechanisms
Authentication IT443 Network Security Administration Instructor: Bo Sheng Authentication Mechanisms Key Distribution Center and Certificate Authorities Session Key 1 2 Authentication Authentication is
More informationCIS 6930/4930 Computer and Network Security. Topic 6. Authentication
CIS 6930/4930 Computer and Network Security Topic 6. Authentication 1 Authentication Authentication is the process of reliably verifying certain information. Examples User authentication Allow a user to
More informationRefining Computationally Sound Mech. Proofs for Kerberos
Refining Computationally Sound Mechanized Proofs for Kerberos Bruno Blanchet Aaron D. Jaggard Jesse Rao Andre Scedrov Joe-Kai Tsay 07 October 2009 Protocol exchange Meeting Partially supported by ANR,
More informationCSCE 548 Building Secure Software Entity Authentication. Professor Lisa Luo Spring 2018
CSCE 548 Building Secure Software Entity Authentication Professor Lisa Luo Spring 2018 Previous Class Important Applications of Crypto User Authentication verify the identity based on something you know
More informationUser Authentication Protocols
User Authentication Protocols Class 5 Stallings: Ch 15 CIS-5370: 26.September.2016 1 Announcement Homework 1 is due today by end of class CIS-5370: 26.September.2016 2 User Authentication The process of
More informationIdeal Security Protocol. Identify Friend or Foe (IFF) MIG in the Middle 4/2/2012
Ideal Security Protocol Satisfies security requirements Requirements must be precise Efficient Small computational requirement Small bandwidth usage, network delays Not fragile Works when attacker tries
More informationA public key encryption scheme secure against key dependent chosen plaintext and adaptive chosen ciphertext attacks
A public key encryption scheme secure against key dependent chosen plaintext and adaptive chosen ciphertext attacks Jan Camenisch 1, Nishanth Chandran 2, and Victor Shoup 3 1 IBM Research, work funded
More informationRobust Two-factor Smart Card Authentication
Robust Two-factor Smart Card Authentication Omer Mert Candan Sabanci University Istanbul, Turkey mcandan@sabanciuniv.edu Abstract Being very resilient devices, smart cards have been commonly used for two-factor
More informationGroup-based Proxy Re-encryption Scheme Secure against Chosen Ciphertext Attack
International Journal of Network Security, Vol.8, No., PP.266 270, May 2009 266 Group-based Proxy Re-encryption Scheme Secure against Chosen Ciphertext Attack Chunbo Ma and Jun Ao (Corresponding author:
More informationOverview. Terminology. Password Storage
Class: CSG254 Network Security Team: Enigma (team 2) Kevin Kingsbury Tejas Parikh Tony Ryan Shenghan Zhang Assignment: PS3 Secure IM system Overview Our system uses a server to store the passwords, and
More informationAnalysis, demands, and properties of pseudorandom number generators
Analysis, demands, and properties of pseudorandom number generators Jan Krhovják Department of Computer Systems and Communications Faculty of Informatics, Masaryk University Brno, Czech Republic Jan Krhovják
More informationSecurity Analysis and Modification of ID-Based Encryption with Equality Test from ACISP 2017
Security Analysis and Modification of ID-Based Encryption with Equality Test from ACISP 2017 Hyung Tae Lee 1, Huaxiong Wang 2, Kai Zhang 3, 4 1 Chonbuk National University, Republic of Korea 2 Nanyang
More informationSecurity Handshake Pitfalls
Security Handshake Pitfalls 1 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: Authenticate each other Establish sessions keys This process may
More informationAuthenticating compromisable storage systems
Authenticating compromisable storage systems Jiangshan Yu Interdisciplinary Center for Security, Reliability and Trust University of Luxembourg Email: jiangshan.yu@uni.lu Mark Ryan School of Computer Science
More informationCryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1
Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography CS555 Spring 2012/Topic 16 1 Outline and Readings Outline Private key management between two parties Key management
More informationOutline. Block cipher, basic idea. From last time. Pseudorandom permutation. Confusion and diffusion. Block ciphers and modes of operation
Outline Block ciphers and modes of operation CSci 5271 Introduction to Computer Security Day 15: Cryptography part 2: public-key Stephen McCamant University of Minnesota, Computer Science & Engineering
More informationPasswords. CS 166: Introduction to Computer Systems Security. 3/1/18 Passwords J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.
Passwords CS 166: Introduction to Computer Systems Security 1 Source: https://shop.spectator.co.uk/wp-content/uploads/2015/03/open-sesame.jpg 2 Password Authentication 3 What Do These Passwords Have in
More informationAuthenticated Encryption in TLS
Authenticated Encryption in TLS Same modelling & verification approach concrete security: each lossy step documented by a game and a reduction (or an assumption) on paper Standardized complications - multiple
More informationUnbounded Inner Product Functional Encryption from Bilinear Maps ASIACRYPT 2018
Unbounded Inner Product Functional Encryption from Bilinear Maps ASIACRYPT 2018 Junichi Tomida (NTT), Katsuyuki Takashima (Mitsubishi Electric) Functional Encryption[OʼNeill10, BSW11] msk Bob f(x) sk f
More informationSession key establishment protocols
our task is to program a computer which gives answers which are subtly and maliciously wrong at the most inconvenient possible moment. -- Ross Anderson and Roger Needham, Programming Satan s computer Session
More informationOutline. From last time. Feistel cipher. Some DES history DES. Block ciphers and modes of operation
Outline CSci 5271 Introduction to Computer Security Day 15: Cryptography part 2: public-key Stephen McCamant University of Minnesota, Computer Science & Engineering From last time Goal: bootstrap from
More informationCSC 774 Network Security
CSC 774 Network Security Topic 2. Review of Cryptographic Techniques CSC 774 Dr. Peng Ning 1 Outline Encryption/Decryption Digital signatures Hash functions Pseudo random functions Key exchange/agreement/distribution
More informationECEN 5022 Cryptography
Introduction University of Colorado Spring 2008 Historically, cryptography is the science and study of secret writing (Greek: kryptos = hidden, graphein = to write). Modern cryptography also includes such
More informationSession key establishment protocols
our task is to program a computer which gives answers which are subtly and maliciously wrong at the most inconvenient possible moment. -- Ross Anderson and Roger Needham, Programming Satan s computer Session
More informationSecurity Handshake Pitfalls
Security Handshake Pitfalls Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr 1 Cryptographic Authentication Password authentication is subject to eavesdropping Alternative: Cryptographic challenge-response
More informationDigital Signatures. KG November 3, Introduction 1. 2 Digital Signatures 2
Digital Signatures KG November 3, 2017 Contents 1 Introduction 1 2 Digital Signatures 2 3 Hash Functions 3 3.1 Attacks.................................... 4 3.2 Compression Functions............................
More informationMike Reiter. University of North Carolina at Chapel Hill. Proliferation of mobile devices. Proliferation of security-relevant apps using these
1 Capture-Resilient Cryptographic Devices Mike Reiter University of North Carolina at Chapel Hill Relevant Trends 2 Proliferation of mobile devices Proliferation of networking Proliferation of security-relevant
More informationCSC/ECE 774 Advanced Network Security
Computer Science CSC/ECE 774 Advanced Network Security Topic 2. Network Security Primitives CSC/ECE 774 Dr. Peng Ning 1 Outline Absolute basics Encryption/Decryption; Digital signatures; D-H key exchange;
More informationUser Authentication Protocols Week 7
User Authentication Protocols Week 7 CEN-5079: 2.October.2017 1 Announcement Homework 1 is posted on the class webpage Due in 2 weeks 10 points (out of 100) subtracted each late day CEN-5079: 2.October.2017
More information