Auth. Key Exchange. Dan Boneh
|
|
- Wendy Rich
- 5 years ago
- Views:
Transcription
1 Auth. Key Exchange
2 Review: key exchange Alice and want to generate a secret key Saw key exchange secure against eavesdropping Alice k eavesdropper?? k This lecture: Authenticated Key Exchange (AKE) key exchange secure against active adversaries
3 Active adversary Adversary has complete control of the network: Can modify, inject and delete packets Example: man-in-the-middle Alice m Adv. m Moreover, some users are honest and others are corrupt Corrupt users are controlled by the adversary Key exchange with corrupt users should not affect other sessions Adversary may corrupt an honest user at time T We want sessions established at time t < T to remain secure
4 Trusted Third Party (TTP) All AKE protocols require a TTP to certify user identities. Registration process: Alice I am Alice, proof TTP I am.com, proof sk alice Two types of TTP: sk bank Online TTP: actively participates in every key exchange (Kerberos) Benefit: security using only symmetric crypto Offline TTP (CA): contacted only during registration ( not quite true)
5 AKE: syntax Alice sk alice cert alice Alice sk bank cert bank vk CA vk CA k, or k, Alice or Followed by Alice sending E(k, data ) to
6 AKE security (very informal) Suppose Alice successfully completes an AKE to obtain (k, ) If is not corrupt then: Authenticity for Alice: (similarly for ) If Alice s key k is shared with anyone, it is only shared with Secrecy for Alice: (similarly for ) To the adversary, Alice s key k is indistinguishable from random (even if adversary sees keys from other instances of Alice or ) Consistency: if completes AKE then it obtains (k, Alice)
7 One-sided AKE?? vk CA Alice sk bank cert bank vk CA k, or k,?? or Security: authenticity for Alice and secrecy for Alice has no guarantees for identity of peer (no consistency) Commonly used on the Web (often followed by ID protocol)
8 Things to remember Do not design AKE protocol yourself Just use latest version of TLS
9 Building blocks cert bank : contains pk bank. has sk bank. E bank ((m,r)) = E(pk bank, (m,r)) where E is chosen-ciphertext secure Recall: from E bank ((m,r)) adv. cannot build E bank ((m,r )) for r r S alice ((m,r)) = S( sk alice, (m,r) ) where S is a signing algorithm R: some large set, e.g. {0,1} 256
10 Protocol #1
11 Simple one-sided AKE protocol k K?? r R, cert bank Alice c E bank ((k, r)) sk bank cert bank k, k,?? decrypt(c), check correct r Thm : this protocol is a secure one-sided AKE Informally: if Alice and are not corrupt then we have (1) secrecy for Alice and (2) authenticity for Alice
12 Insecure variant 1: r not encrypted r R, cert bank k K Alice c E bank (k) sk bank cert bank no r k, k,?? Problem: replay attack
13 Replay attack r R, cert bank k K Alice c E bank (k) c 1 E sym (k, I am Alice, pay Bob 30$ ) sk bank cert bank Later: r R, cert bank c sk bank cert bank c 1
14 Protocol #2
15 Simple one-sided AKE with forward-secrecy check sig. σ k K?? Alice pk, cert bank σ S bank (pk) c E(pk, k) sk bank cert bank (pk, sk) Gen k D(sk, c) delete sk k, k,?? (pk, sk) are ephemeral: sk is deleted when protocol completes Compromise of : past sessions are unaffected
16 Insecure variant: do not sign pk k K?? Alice pk, cert bank σ S bank (pk) c E(pk, k) (pk, sk) Gen k D(sk, c) delete sk k, k,?? Attack: complete key exposure
17 Attack: key exposure bank pk, cert bank Alice (pk, sk ) Gen (pk, sk) Gen pk, cert bank k K c E(pk, k) E sym (k, data ) Adv. gets k and data
18 Two-sided AKE For now: no forward secrecy
19 Two-sided AKE (mutual authentication) sk alice cert alice k K bank Alice k, r R, cert bank c E bank ((k, alice )) σ S alice ((r, c, bank )), cert alice Thm : this protocol is a secure AKE Informally: alice k, Alice sk bank cert bank decrypt(c), check correct id, check sig. σ if Alice and are not corrupt then we have (1) secrecy and (2) authenticity for Alice and for
20 Insecure variant: encrypt r instead of Alice Any change to protocol makes it insecure, sometime in subtle ways Example: sk alice cert alice k K bank r R, cert bank Alice c E bank ((k, r)) σ S alice ((r, c, bank )), cert alice k, alice k, Alice sk bank cert bank decrypt(c), check correct r, check sig. σ
21 bank Alice Attack: identity misbinding r R, cert bank c E bank ((k, r)) σ S alice ((r, c, bank )), cert alice c σ S evil ((r, c, bank )), cert evil E sym (k, deposit this check into my account ) evil decrypt(c), check r, check sig. σ
22 Insecure variant: do not sign c sk alice bank r R, cert bank alice cert alice k K Alice c E bank ((k, alice )) sk bank cert bank k, σ S alice ((r, bank )), cert alice no c k, Alice decrypt(c), check correct id, check sig. σ Attack: key exposure
23 Attack: key exposure bank Alice r R, cert bank c E bank ((k, Alice )) σ S alice ((r, bank )), cert alice c E bank ((k, Alice )) σ, cert alice E sym (k, data ) alice decrypt(c ), check id, check sig. σ Adversary can read data
24 Many more AKE variants Two-sided AKE with forward secrecy: AKE with end-point privacy: Goal: certificates are not visible to adversary (TLS 1.3) AKE based on a shared secret between Alice and : High entropy shared secret: want forward secrecy Password: ensure no offline dictionary attack (PAKE)
25 Online Cryptography Course Auth. key exchange TLS v1.2 key exchange
26 TLS session setup (handshake) Client C ClientHello (and extensions) [Certificate], ClientKeyExchange, [CertificateVerify] ServerHello (and ext.), [Certificate], [ServerKeyExchange], [CertificateRequest], ServerHelloDone Server secret key S cert ChangeCipherSpec Finished ChangeCipherSpec Finished Application Data
27 Brief overview of SSL/TLS browser ClientHello (cipher-list) ServerHello (cipher), ServerCert (PK) server cert SK key exchange (many options): RSA, DHE, ECDHE, [ServerKeyExchange] ClientKeyExchange PreK Finished (key & params confirmation) PreK HTTP data encrypted with KDF(PreK) In this diagram: one sided authentication (no client authentication)
28 The need for negotiating ciphers US browser prefer NIST ciphers Russian browser Prefer GOST ciphers (Russian) does not understand ECDHE Web server in Russia old browser
29 Abstract TLS: RSA exchange (simplified) Client ClientHello: r C, SID, cipher-list Server verify cert S pick random 46 byte PreK ServerHello: r S, SID, cipher, cert S ClientKeyExchange: c E(pk S, PreK) MasterK PRF ms ( PreK, r C ll r S ) SessionKeys PRF ke ( MasterK, r S ll r C ) secret key cert S decrypt c to get PreK Finished (FinishedData) Finished (FinishedData) Key Confirmation: FinishedData = PRF vd ( MasterK, hash(handshakemessages) )
30 Properties r C, r S : prevent replay of of old session RSA key exchange: no forward secrecy Compromise of server secret key exposes old sessions Costly RSA decryption on server, easier RSA enc. on client One sided identification: Browser identifies server using server-cert Server has no guarantees about client s identity TLS has support for mutual auth. (client needs sk C and cert C )
31 TLS key exchange with forward-secrecy (DHE) Client verify cert S and σ random b in 1..p ClientHello(r c ) (simplified) ServerHello(r p, g, A g a s ), Cert, ServerKeyExchange (p), σ sign(sk S, (r c,r s,p,g,a)) ClientKeyExchange: B g b (p) PreK g ab MasterK PRF ms ( PreK, r C ll r S ) Fix prime p and g sk S : signing key Server random a in 1..p PreK g ab Delete b SessionKeys PRF ke ( MasterK, r S ll r C ) Finished Finished Delete a
32 Prefer ECDHE over DHE Elliptic curve Diffie-Hellman
33 Performance: RSA vs. forward-secrecy Cost of crypto operations on server per handshake: RSA key exchange: one RSA-2048 decryption (deprecated in TLS 1.3) ECDHE: Diffie-Hellman in group G with generator g G 1. One exp. to compute A g a G 2. One sig. on Diffie-Hellman parameters (G,g,A) 3. One exp. to compute DH secret: PreK g ab G must be done for every handshake Server support (2014): RSA (99.9%), DHE (60%), ECDHE(18%)
34 Session Resume Goal: reduce # of full handshakes server Alice MasterK Full handshake MasterK Session Store Few hours later (new TCP connection) Alice Abbreviated handshake reuse old MasterK retrieve old MasterK
35 Client MasterK(bank) C Session resume (simplified) SID C =0: full handshake SID C 0: resume old session If SID C = SID S then resume else full ClientHello: r C, SID C ServerHello: r S, SID S SID S SID C if SID C ST SID S random, otherwise SessionKeys PRF ke ( MasterK, r S ll r C ) Session Store (ST) MasterK(Alice) ChangeCipherSpec Finished ChangeCipherSpec Finished
36 THE END
Computer Security Course. Public Key Crypto. Slides credit: Dan Boneh
Computer Security Course. Dawn Song Public Key Crypto Slides credit: Dan Boneh Administra>ve Issues Security is a fast- changing field We cover a broad spectrum of areas in computer security Hence, there
More informationMTAT Applied Cryptography
MTAT.07.017 Applied Cryptography Transport Layer Security (TLS) Advanced Features University of Tartu Spring 2016 1 / 16 Client Server Authenticated TLS ClientHello ServerHello, Certificate, ServerHelloDone
More informationPublic-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7
Public-Key Cryptography Professor Yanmin Gong Week 3: Sep. 7 Outline Key exchange and Diffie-Hellman protocol Mathematical backgrounds for modular arithmetic RSA Digital Signatures Key management Problem:
More information18733: Applied Cryptography Anupam Datta (CMU) Basic key exchange. Dan Boneh
18733: Applied Cryptography Anupam Datta (CMU) Basic key exchange Online Cryptography Course Basic key exchange Trusted 3 rd parties Key management Problem: n users. Storing mutual secret keys is difficult
More informationCS 161 Computer Security
Raluca Ada Popa Spring 2018 CS 161 Computer Security Discussion 6 Week of February 26, 2018 Question 1 TLS threats (10 min) An attacker is trying to attack the company Boogle and its users. Assume that
More informationNetwork Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2014
Network Security: TLS/SSL Tuomas Aura T-110.5241 Network security Aalto University, Nov-Dec 2014 Outline 1. Diffie-Hellman key exchange (recall from earlier) 2. Key exchange using public-key encryption
More informationNetwork Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2010
Network Security: TLS/SSL Tuomas Aura T-110.5240 Network security Aalto University, Nov-Dec 2010 Outline 1. Diffie-Hellman 2. Key exchange using public-key encryption 3. Goals of authenticated key exchange
More informationInternet security and privacy
Internet security and privacy SSL/TLS 1 Application layer App. TCP/UDP IP L2 L1 2 Application layer App. SSL/TLS TCP/UDP IP L2 L1 3 History of SSL/TLS Originally, SSL Secure Socket Layer, was developed
More informationCristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.
CS355: Cryptography Lecture 17: X509. PGP. Authentication protocols. Key establishment. Public Keys and Trust Public Key:P A Secret key: S A Public Key:P B Secret key: S B How are public keys stored How
More informationData Security and Privacy. Topic 14: Authentication and Key Establishment
Data Security and Privacy Topic 14: Authentication and Key Establishment 1 Announcements Mid-term Exam Tuesday March 6, during class 2 Need for Key Establishment Encrypt K (M) C = Encrypt K (M) M = Decrypt
More informationIPsec and SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dec. 1st, /43
0/43 IPsec and SSL/TLS Applied Cryptography 0 Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dec. 1st, 2016 Cryptography in the TCP/IP stack application layer transport layer network layer data-link
More informationOnline Cryptography Course. Basic key exchange. Trusted 3 rd par7es. Dan Boneh
Online Cryptography Course Dan Boneh Basic key exchange Trusted 3 rd par7es Key management Problem: n users. Storing mutual secret keys is difficult Total: O(n) keys per user A befer solu7on Online Trusted
More informationInformation Security CS 526
Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication Topic 14: Secure Communication 1 Readings for This Lecture On Wikipedia Needham-Schroeder protocol (only the symmetric
More informationCSCE 715: Network Systems Security
CSCE 715: Network Systems Security Chin-Tser Huang huangct@cse.sc.edu University of South Carolina Web Security Web is now widely used by business, government, and individuals But Internet and Web are
More informationL13. Reviews. Rocky K. C. Chang, April 10, 2015
L13. Reviews Rocky K. C. Chang, April 10, 2015 1 Foci of this course Understand the 3 fundamental cryptographic functions and how they are used in network security. Understand the main elements in securing
More informationChapter 4: Securing TCP connections
Managing and Securing Computer Networks Guy Leduc Chapter 5: Securing TCP connections Computer Networking: A Top Down Approach, 6 th edition. Jim Kurose, Keith Ross Addison-Wesley, March 2012. (section
More informationKey Agreement Schemes
Key Agreement Schemes CSG 252 Lecture 9 November 25, 2008 Riccardo Pucella Key Establishment Problem PK cryptosystems have advantages over SK cryptosystems PKCs do not need a secure channel to establish
More informationTransport Layer Security
Cryptography and Security in Communication Networks Transport Layer Security ETTI - Master - Advanced Wireless Telecommunications Secure channels Secure data delivery on insecure networks Create a secure
More informationTransport Layer Security
CEN585 Computer and Network Security Transport Layer Security Dr. Mostafa Dahshan Department of Computer Engineering College of Computer and Information Sciences King Saud University mdahshan@ksu.edu.sa
More informationCIS 4360 Secure Computer Systems Applied Cryptography
CIS 4360 Secure Computer Systems Applied Cryptography Professor Qiang Zeng Spring 2017 Symmetric vs. Asymmetric Cryptography Symmetric cipher is much faster With asymmetric ciphers, you can post your Public
More informationCryptographic Protocols 1
Cryptographic Protocols 1 Luke Anderson luke@lukeanderson.com.au 5 th May 2017 University Of Sydney Overview 1. Crypto-Bulletin 2. Problem with Diffie-Hellman 2.1 Session Hijacking 2.2 Encrypted Key Exchange
More informationCSC 5930/9010 Modern Cryptography: Public Key Cryptography
CSC 5930/9010 Modern Cryptography: Public Key Cryptography Professor Henry Carter Fall 2018 Recap Number theory provides useful tools for manipulating integers and primes modulo a large value Abstract
More informationCryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1
Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography CS555 Spring 2012/Topic 16 1 Outline and Readings Outline Private key management between two parties Key management
More informationApplied Cryptography and Computer Security CSE 664 Spring 2017
Applied Cryptography and Computer Security Lecture 18: Key Distribution and Agreement Department of Computer Science and Engineering University at Buffalo 1 Key Distribution Mechanisms Secret-key encryption
More informationKey Establishment and Authentication Protocols EECE 412
Key Establishment and Authentication Protocols EECE 412 1 where we are Protection Authorization Accountability Availability Access Control Data Protection Audit Non- Repudiation Authentication Cryptography
More informationCrypto meets Web Security: Certificates and SSL/TLS
CSE 484 / CSE M 584: Computer Security and Privacy Crypto meets Web Security: Certificates and SSL/TLS Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,
More informationLecture 15 PKI & Authenticated Key Exchange. COSC-260 Codes and Ciphers Adam O Neill Adapted from
Lecture 15 PKI & Authenticated Key Exchange COSC-260 Codes and Ciphers Adam O Neill Adapted from http://cseweb.ucsd.edu/~mihir/cse107/ Today We will see how signatures are used to create public-key infrastructures
More informationComputer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 10r. Recitation assignment & concept review Paul Krzyzanowski Rutgers University Spring 2018 April 3, 2018 CS 419 2018 Paul Krzyzanowski 1 1. What is a necessary condition for perfect
More informationSecurely Deploying TLS 1.3. September 2017
Securely Deploying TLS 1.3 September 2017 Agenda Why TLS 1.3? Zero Round Trip Time (0-RTT) requests Forward secrecy Resumption key management Why TLS 1.3? Speed TLS impacts latency, not thoroughput Protocol
More informationCryptography Lecture 9 Key distribution and trust, Elliptic curve cryptography
Cryptography Lecture 9 Key distribution and trust, Elliptic curve cryptography Key Management The first key in a new connection or association is always delivered via a courier Once you have a key, you
More informationSecurity Protocols. Professor Patrick McDaniel CSE545 - Advanced Network Security Spring CSE545 - Advanced Network Security - Professor McDaniel
Security Protocols Professor Patrick McDaniel CSE545 - Advanced Network Security Spring 2011 CSE545 - Advanced Network Security - Professor McDaniel 1 Case Study: Host Access The first systems used telnet
More informationSharkFest 17 Europe. SSL/TLS Decryption. uncovering secrets. Wednesday November 8th, Peter Wu Wireshark Core Developer
SharkFest 17 Europe SSL/TLS Decryption uncovering secrets Wednesday November 8th, 2017 Peter Wu Wireshark Core Developer peter@lekensteyn.nl 1 About me Wireshark contributor since 2013, core developer
More informationSecuring IoT applications with Mbed TLS Hannes Tschofenig
Securing IoT applications with Mbed TLS Hannes Tschofenig Part#2: Public Key-based authentication March 2018 Munich Agenda For Part #2 of the webinar we are moving from Pre-Shared Secrets (PSKs) to certificated-based
More informationCIS 6930/4930 Computer and Network Security. Topic 8.2 Internet Key Management
CIS 6930/4930 Computer and Network Security Topic 8.2 Internet Key Management 1 Key Management Why do we need Internet key management AH and ESP require encryption and authentication keys Process to negotiate
More informationCryptography (Overview)
Cryptography (Overview) Some history Caesar cipher, rot13 substitution ciphers, etc. Enigma (Turing) Modern secret key cryptography DES, AES Public key cryptography RSA, digital signatures Cryptography
More informationSSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1
SSL/TLS & 3D Secure CS 470 Introduction to Applied Cryptography Ali Aydın Selçuk CS470, A.A.Selçuk SSL/TLS & 3DSec 1 SSLv2 Brief History of SSL/TLS Released in 1995 with Netscape 1.1 Key generation algorithm
More informationSecurity Protocols and Infrastructures. Winter Term 2010/2011
Winter Term 2010/2011 Chapter 4: Transport Layer Security Protocol Contents Overview Record Protocol Cipher Suites in TLS 1.2 Handshaking Protocols Final Discussion 2 Contents Overview Record Protocol
More informationSecurity issues: Encryption algorithms. Threats Methods of attack. Secret-key Public-key Hybrid protocols. CS550: Distributed OS.
Security issues: Threats Methods of attack Encryption algorithms Secret-key Public-key Hybrid protocols Lecture 15 Page 2 1965-75 1975-89 1990-99 Current Platforms Multi-user timesharing computers Distributed
More information1 Identification protocols
ISA 562: Information Security, Theory and Practice Lecture 4 1 Identification protocols Now that we know how to authenticate messages using MACs, a natural question is, how can we use MACs to prove that
More informationSecurity Protocols and Infrastructures. Winter Term 2015/2016
Winter Term 2015/2016 Nicolas Buchmann (Harald Baier) Chapter 8: Transport Layer Security Protocol Key Questions Application context of TLS? Which security goals shall be achieved? Approaches? 2 Contents
More informationOverview. SSL Cryptography Overview CHAPTER 1
CHAPTER 1 Secure Sockets Layer (SSL) is an application-level protocol that provides encryption technology for the Internet. SSL ensures the secure transmission of data between a client and a server through
More informationPractical Issues with TLS Client Certificate Authentication
Practical Issues with TLS Client Certificate Authentication Arnis Parsovs February 26, 2014 1 / 10 Motivation 2 / 10 Motivation Problems with password authentication: 2 / 10 Motivation Problems with password
More informationDiffie-Hellman. Part 1 Cryptography 136
Diffie-Hellman Part 1 Cryptography 136 Diffie-Hellman Invented by Williamson (GCHQ) and, independently, by D and H (Stanford) A key exchange algorithm o Used to establish a shared symmetric key Not for
More informationLecture 6.2: Protocols - Authentication and Key Exchange II. CS 436/636/736 Spring Nitesh Saxena. Course Admin
Lecture 6.2: Protocols - Authentication and Key II CS 436/636/736 Spring 2012 Nitesh Saxena Mid-Term Grading Course Admin Will be done over the break Scores will be posted online and graded exams distribute
More informationCryptography and secure channel. May 17, Networks and Security. Thibault Debatty. Outline. Cryptography. Public-key encryption
and secure channel May 17, 2018 1 / 45 1 2 3 4 5 2 / 45 Introduction Simplified model for and decryption key decryption key plain text X KE algorithm KD Y = E(KE, X ) decryption ciphertext algorithm X
More informationUnderstand the TLS handshake Understand client/server authentication in TLS. Understand session resumption Understand the limitations of TLS
Last Updated: Oct 31, 2017 Understand the TLS handshake Understand client/server authentication in TLS RSA key exchange DHE key exchange Explain certificate ownership proofs in detail What cryptographic
More informationCS155. Cryptography Overview
CS155 Cryptography Overview Cryptography Is n n A tremendous tool The basis for many security mechanisms Is not n n n n The solution to all security problems Reliable unless implemented properly Reliable
More informationE-commerce security: SSL/TLS, SET and others. 4.1
E-commerce security: SSL/TLS, SET and others. 4.1 1 Electronic payment systems Purpose: facilitate the safe and secure transfer of monetary value electronically between multiple parties Participating parties:
More informationRandomness Extractors. Secure Communication in Practice. Lecture 17
Randomness Extractors. Secure Communication in Practice Lecture 17 11:00-12:30 What is MPC? Manoj Monday 2:00-3:00 Zero Knowledge Muthu 3:30-5:00 Garbled Circuits Arpita Yuval Ishai Technion & UCLA 9:00-10:30
More informationCS 6324: Information Security More Info on Key Establishment: RSA, DH & QKD
ERIK JONSSON SCHOOL OF ENGINEERING & COMPUTER SCIENCE Cyber Security Research and Education Institute CS 6324: Information Security Dr. Junia Valente Department of Computer Science The University of Texas
More informationWAP Security. Helsinki University of Technology S Security of Communication Protocols
WAP Security Helsinki University of Technology S-38.153 Security of Communication Protocols Mikko.Kerava@iki.fi 15.4.2003 Contents 1. Introduction to WAP 2. Wireless Transport Layer Security 3. Other WAP
More informationAlice in Cyber world
Alice in Cyber world Protecting Secrets in The Connected World K.S.Sreedharan Director IT Zoho Cast Alice Claude Eve Bob Govan Story So Far Symmetric Key Asymmetric Key Twist in the Tale Claude Convenience
More informationAuthenticating People and Machines over Insecure Networks
Authenticating People and Machines over Insecure Networks EECE 571B Computer Security Konstantin Beznosov authenticating people objective Alice The Internet Bob Password= sesame Password= sesame! authenticate
More informationIdeal Security Protocol. Identify Friend or Foe (IFF) MIG in the Middle 4/2/2012
Ideal Security Protocol Satisfies security requirements Requirements must be precise Efficient Small computational requirement Small bandwidth usage, network delays Not fragile Works when attacker tries
More information1. Diffie-Hellman Key Exchange
e-pgpathshala Subject : Computer Science Paper: Cryptography and Network Security Module: Diffie-Hellman Key Exchange Module No: CS/CNS/26 Quadrant 1 e-text Cryptography and Network Security Objectives
More informationON THE SECURITY OF TLS RENEGOTIATION
ON THE SECURITY OF TLS RENEGOTIATION 2012/11/02 QUT Douglas Stebila European Network of Excellence in Cryptology II (ECRYPT II) Australian Technology Network German Academic Exchange Service (ATN-DAAD)
More informationReal-time protocol. Chapter 16: Real-Time Communication Security
Chapter 16: Real-Time Communication Security Mohammad Almalag Dept. of Computer Science Old Dominion University Spring 2013 1 Real-time protocol Parties negotiate interactively (Mutual) Authentication
More informationSSL/TLS FOR MORTALS.
SSL/TLS FOR MORTALS maartenm@infosupport.com @mthmulders Exception in thread "main" javax.net.ssl.sslhandshakeexception: sun.security.validator.validatorexception: PKIX path building failed: sun at sun.security.ssl.alerts.getsslexception(alerts.java:192)
More informationFelix Günther. Technische Universität Darmstadt, Germany. joint work with Benjamin Dowling, Marc Fischlin, and Douglas Stebila
A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates The main modes, 0-RTT, and replays Felix Günther Technische Universität Darmstadt, Germany joint work with Benjamin Dowling, Marc Fischlin,
More informationSecurity Protocols and Infrastructures
Security Protocols and Infrastructures Dr. Michael Schneider michael.schneider@h-da.de Chapter 8: The Transport Layer Security Protocol (TLS) December 4, 2017 h_da WS2017/18 Dr. Michael Schneider 1 1 Overview
More informationSecure Sockets Layer (SSL) / Transport Layer Security (TLS)
Secure Sockets Layer (SSL) / Transport Layer Security (TLS) Brad Karp UCL Computer Science CS GZ03 / M030 20 th November 2017 What Problems Do SSL/TLS Solve? Two parties, client and server, not previously
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 24 April 16, 2012 CPSC 467b, Lecture 24 1/33 Kerberos Secure Shell (SSH) Transport Layer Security (TLS) Digital Rights Management
More informationTLS 1.3 Extension for Certificate-based Authentication with an External Pre-Shared Key
TLS 1.3 Extension for Certificate-based Authentication with an External Pre-Shared Key draft-housley-tls-tls13-cert-with-extern-psk Russ Housley TLS WG at IETF 102 July 2018 TLS 1.3 Authentication and
More informationLecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena
Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall 2009 Nitesh Saxena *Adopted from a previous lecture by Gene Tsudik Course Admin HW3 Problem 3 due Friday midnight
More informationProtocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.
P2 Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE 802.11i, IEEE 802.1X P2.2 IP Security IPsec transport mode (host-to-host), ESP and
More informationThe World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to
1 The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to compromises of various sorts, with a range of threats
More informationExercises with solutions, Set 3
Exercises with solutions, Set 3 EDA625 Security, 2017 Dept. of Electrical and Information Technology, Lund University, Sweden Instructions These exercises are for self-assessment so you can check your
More informationKey Establishment. Chester Rebeiro IIT Madras. Stinson : Chapter 10
Key Establishment Chester Rebeiro IIT Madras CR Stinson : Chapter 10 Multi Party secure communication C D A B E F N parties want to communicate securely with each other (N=6 in this figure) If sends a
More informationSSL/TLS. How to send your credit card number securely over the internet
SSL/TLS How to send your credit card number securely over the internet The security provided by SSL SSL is implemented at level 4 The transport control layer In practice, SSL uses TCP sockets The underlying
More informationFrom Coulouris, Dollimore and Kindberg Distributed Systems: Concepts and Design. Edition 4 Pearson Education 2005
Chapter 7: Security From Coulouris, Dollimore and Kindberg Distributed Systems: Concepts and Design Edition 4 Introduction Security policies Provide for the sharing of resources within specified limits
More informationCryptography. Andreas Hülsing. 6 September 2016
Cryptography Andreas Hülsing 6 September 2016 1 / 21 Announcements Homepage: http: //www.hyperelliptic.org/tanja/teaching/crypto16/ Lecture is recorded First row might be on recordings. Anything organizational:
More informationTLS 1.2 Protocol Execution Transcript
Appendix C TLS 1.2 Protocol Execution Transcript In Section 2.3, we overviewed a relatively simple protocol execution transcript for SSL 3.0. In this appendix, we do something similar for TLS 1.2. Since
More informationCS Computer Networks 1: Authentication
CS 3251- Computer Networks 1: Authentication Professor Patrick Traynor 4/14/11 Lecture 25 Announcements Homework 3 is due next class. Submit via T-Square or in person. Project 3 has been graded. Scores
More informationLecture 30. Cryptography. Symmetric Key Cryptography. Key Exchange. Advanced Encryption Standard (AES) DES. Security April 11, 2005
Lecture 30 Security April 11, 2005 Cryptography K A ciphertext Figure 7.3 goes here K B symmetric-key crypto: sender, receiver keys identical public-key crypto: encrypt key public, decrypt key secret Symmetric
More informationUniversität Hamburg. SSL & Company. Fachbereich Informatik SVS Sicherheit in Verteilten Systemen. Security in TCP/IP. UH, FB Inf, SVS, 18-Okt-04 2
Universität Hamburg SSL & Company Fachbereich Informatik SVS Sicherheit in Verteilten Systemen Security in TCP/IP UH, FB Inf, SVS, 18-Okt-04 2 SSL/TLS Overview SSL/TLS provides security at TCP layer. Uses
More informationCS 395T. Formal Model for Secure Key Exchange
CS 395T Formal Model for Secure Key Exchange Main Idea: Compositionality Protocols don t run in a vacuum Security protocols are typically used as building blocks in a larger secure system For example,
More informationPreventing Attackers From Using Verifiers: A-PAKE With PK-Id
Preventing Attackers From Using Verifiers: A-PAKE With PK-Id Sean Parkinson (sean.parkinson@rsa.com) RSA, The Security Division of EMC Session ID: ARCH R02 Session Classification: Advanced Outline Introduction
More informationLecture 9a: Secure Sockets Layer (SSL) March, 2004
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York University artg@cs.nyu.edu Security Achieved by
More informationKey Agreement. Guilin Wang. School of Computer Science, University of Birmingham
Key Agreement Guilin Wang School of Computer Science, University of Birmingham G.Wang@cs.bham.ac.uk 1 Motivations As we know, symmetric key encryptions are usually much more efficient than public key encryptions,
More informationCS 494/594 Computer and Network Security
CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Real-Time Communication Security Network layers
More informationTLS Extensions Project IMT Network Security Spring 2004
TLS Extensions Project IMT4101 - Network Security Spring 2004 Ole Martin Dahl [ole.dahl@hig.no] Torkjel Søndrol [torkjel.soendrol@hig.no] Fredrik Skarderud [fredrik.skarderud@hig.no] Ole Kasper Olsen [ole.olsen@hig.no]
More informationFall 2010/Lecture 32 1
CS 426 (Fall 2010) Key Distribution & Agreement Fall 2010/Lecture 32 1 Outline Key agreement without t using public keys Distribution of public keys, with public key certificates Diffie-Hellman Protocol
More informationCS 161 Computer Security
Raluca Popa Spring 2018 CS 161 Computer Security Homework 2 Due: Wednesday, February 14, at 11:59pm Instructions. This homework is due Wednesday, February 14, at 11:59pm. No late homeworks will be accepted.
More informationID protocols. Overview. Dan Boneh
ID protocols Overview The Setup sk Alg. G vk vk either public or secret User P (prover) Server V (verifier) no key exchange yes/no Applications: physical world Physical locks: (friend-or-foe) Wireless
More informationViber Encryption Overview
Introduction Terms Preparations for Session Setup Secure Session Setup Exchanging Messages Encrypted Calls Photo, Video and File Sharing Secure Groups Secondary Device Registration Authentication Viber
More informationAuthentication and Secure Communication. Jeff Chase Duke University
Authentication and Secure Communication Jeff Chase Duke University technology people Where are the boundaries of the system that you would like to secure? Where is the weakest link? What happens when the
More informationDatasäkerhetsmetoder föreläsning 7
Datasäkerhetsmetoder föreläsning 7 Nyckelhantering Jan-Åke Larsson Cryptography A security tool, not a general solution Cryptography usually converts a communication security problem into a key management
More informationIntroduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell
Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell 1 Cryptography Merriam-Webster Online Dictionary: 1. secret writing 2. the enciphering and deciphering
More informationLecture 07: Private-key Encryption. Private-key Encryption
Lecture 07: Three algorithms Key Generation: Generate the secret key sk Encryption: Given the secret key sk and a message m, it outputs the cipher-text c (Note that the encryption algorithm can be a randomized
More informationGrenzen der Kryptographie
Microsoft Research Grenzen der Kryptographie Dieter Gollmann Microsoft Research 1 Summary Crypto does not solve security problems Crypto transforms security problems Typically, the new problems relate
More informationPassword. authentication through passwords
Password authentication through passwords Human beings Short keys; possibly used to generate longer keys Dictionary attack: adversary tries more common keys (easy with a large set of users) Trojan horse
More informationHistory. TLS 1.3 Draft 26 Supported in TMOS v14.0.0
PRESENTED BY: History SSL developed by Netscape SSLv1.0 Never released SSLv2.0 1995 SSLv3.0 1996 Moved governance to the IETF and renamed TLS TLSv1.0 1999 TLSv1.1 2006 TLSv1.2 2008 TLSv1.3 2018 TLS 1.3
More informationProving who you are. Passwords and TLS
Proving who you are Passwords and TLS Basic, fundamental problem Client ( user ) How do you prove to someone that you are who you claim to be? Any system with access control must solve this Users and servers
More informationCryptography. Lecture 12. Arpita Patra
Cryptography Lecture 12 Arpita Patra Digital Signatures q In PK setting, privacy is provided by PKE q Integrity/authenticity is provided by digital signatures (counterpart of MACs in PK world) q Definition:
More informationEncryption. INST 346, Section 0201 April 3, 2018
Encryption INST 346, Section 0201 April 3, 2018 Goals for Today Symmetric Key Encryption Public Key Encryption Certificate Authorities Secure Sockets Layer Simple encryption scheme substitution cipher:
More informationSecure Internet Communication
Secure Internet Communication Can we prevent the Cryptocalypse? Dr. Gregor Koenig Barracuda Networks AG 09.04.2014 Overview Transport Layer Security History Orientation Basic Functionality Key Exchange
More informationComing of Age: A Longitudinal Study of TLS Deployment
Coming of Age: A Longitudinal Study of TLS Deployment Accepted at ACM Internet Measurement Conference (IMC) 2018, Boston, MA, USA Platon Kotzias, Abbas Razaghpanah, Johanna Amann, Kenneth G. Paterson,
More informationCS155. Cryptography Overview
CS155 Cryptography Overview Cryptography! Is n A tremendous tool n The basis for many security mechanisms! Is not n The solution to all security problems n Reliable unless implemented properly n Reliable
More informationSecuring IoT applications with Mbed TLS Hannes Tschofenig Arm Limited
Securing IoT applications with Mbed TLS Hannes Tschofenig Agenda Theory Threats Security services Hands-on with Arm Keil MDK Pre-shared secret-based authentication (covered in webinar #1) TLS Protocol
More informationPublic-Key Encryption, Key Exchange, Digital Signatures CMSC 23200/33250, Autumn 2018, Lecture 7
Public-Key Encryption, Key Exchange, Digital Signatures CMSC 23200/33250, Autumn 2018, Lecture 7 David Cash University of Chicago Plan 1. Security of RSA 2. Key Exchange, Diffie-Hellman 3. Begin digital
More information