Message authentication
|
|
- Rolf Woods
- 6 years ago
- Views:
Transcription
1 Message authentication -- Reminder on hash unctions -- MAC unctions hash based block cipher based -- Digital signatures (c) Levente Buttyán Hash unctions a hash unction is a unction H: {0, 1}* {0, 1} n that maps arbitrary long messages into a ixed length output notation and terminology: x (input) message y = H(x) hash value, message digest, ingerprint typical application: the hash value o a message can serve as a compact representative image o the message (similar to ingerprints) H is a many-to-one mapping collisions are unavoidable however, inding collisions are very diicult (practically ineasible) increase the eiciency o digital signatures by signing the hash instead o the message (expensive operation is perormed on small data) examples: (MD5,) SHA-1, SHA-256 Protocols (message authentication, session key establishment) 2
2 Desired properties o hash unctions ease o computation given an input x, the hash value H(x) o x is easy to compute weak collision resistance (2 nd preimage resistance) given an input x, it is computationally ineasible to ind a second input x such that H(x ) = H(x) strong collision resistance (collision resistance) it is computationally ineasible to ind any two distinct inputs x and x such that H(x) = H(x ) one-way hash unction (preimage resistance) given a hash value y (or which no preimage is known), it is computationally ineasible to ind any input x such that H(x) = y collision resistant hash unctions are similar to block ciphers in the sense that they can be modeled as a random unction Protocols (message authentication, session key establishment) 3 Iterative hash unctions operation: input is divided into ixed length blocks last block is padded i necessary each input block is processed according to the ollowing scheme input x = x 1 x 2 x 3 x L, input block x i (b) CV 0 = IV CV i-1 (n) compression unction (n) CV i chaning variable alternative illustration: H(x) = CV L x 1 x 2 x 3 x L (b) (b) (b) (b) CV 0 (n) (n) CV 1 (n) CV 2 (n) CV 3 CV L-1 (n) H(x) = CV L Protocols (message authentication, session key establishment) 4
3 MAC unctions MAC = Message Authentication Code a MAC unction is a unction MAC: {0, 1}* x {0, 1} k {0, 1} n that maps an arbitrary long message and a key into a ixed length output can be viewed as a hash unction with an additional input (the key) terminology and usage: the sender computes the MAC value M = MAC(m, K), where m is the message, and K is the MAC key the sender attaches M to m, and sends them to the receiver the receiver receives (m, M ) the receiver computes M = MAC(m, K) and compares it to M ; i they are the same, then the message is accepted, otherwise rejected services: message authentication and integrity protection: ater successul veriication o the MAC value, the receiver is assured that the message has been generated by the sender and it has not been altered examples: HMAC, CBC-MAC schemes Protocols (message authentication, session key establishment) 5 MAC generation and veriication illustrated generation message secret key MAC MAC MAC veriication message secret key MAC MAC MAC compare compare yes/no Protocols (message authentication, session key establishment) 6
4 Desired properties o MAC unctions ease o computation key non-recovery it is computationally ineasible to recover the secret key K, given one or more message-mac pairs (m i, M i ) or that K computation resistance given zero or more message-mac pairs (m i, M i ), it is computationally ineasible to ind a valid message-mac pair (m, M) such that m m i computation resistance implies key non-recovery but the reverse is not true in general Protocols (message authentication, session key establishment) 7 Secret preix method MAC k (x) = H(k x) insecure! assume an attacker knows the MAC on x: M = H(k x) he can produce the MAC on x y as M = (M,y), where x is x with padding and is the compression unction o H k x 1 x 2 x L padding y padding CV 0 M M = MAC k (x y) Protocols (message authentication, session key establishment) 8
5 A similar mistake MAC k (x) = H k (x) where H k (.) is H(.) with CV 0 = k x 1 x 2 x L padding y padding K M M = MAC k (x y) Protocols (message authentication, session key establishment) 9 Secret suix method MAC k (x) = H(x k) insecure i H is not collision resistant using a birthday attack, the attacker inds two inputs x and x such that H(x) = H(x ) (can be done o-line without the knowledge o k) then obtaining the MAC M on one o the inputs, say x, allows the attacker to orge a text-mac pair (x, M) weaknesses MAC depends only on the last chaining variable key is involved only in the last step x 1 x 1 x 2 x 2 x L x L k padding CV 0 H(x) = H(x ) M Protocols (message authentication, session key establishment) 10
6 HMAC HMAC k (x) = H( (k + opad) H( (k + ipad) x ) ) where h is a hash unction with input block size b and output size n k + is k padded with 0s to obtain a length o b bits ipad is repeated b/8 times opad is repeated b/8 times k + ipad x 1 x L padding 1 H CV 0 CV 1 inner k + opad M padding 2 H CV 0 CV 1 outer HMAC k (x) Protocols (message authentication, session key establishment) 11 CBC-MAC x 1 x 2 x 3 x N c N-1 + k E k E k E k E c 1 c 2 c 3 k E -1 CBC MAC is secure or messages o a ixed number o blocks orgery is possible i variable length messages are allowed k E CBC MAC optional c N Protocols (message authentication, session key establishment) 12
7 How to use CBC-MAC in practice? use the optional inal encryption reduces the threat o exhaustive key search (key is (k, k ) key length is doubled) prevents known existential orgeries has marginal overhead (only last block is encrypted multiple times) prepend the message with a block containing the length o the message beore the MAC computation use k to encrypt the length and obtain k = E k (length), and use k as the MAC key (i.e., use message dependent MAC keys) Protocols (message authentication, session key establishment) 13 Digital signature schemes unctions (algorithms) and terminology: key-pair generation unction G() = (K +, K - ) K + public key K - private key signature generation unction S(K -, m) = s m message s signature signature veriication unction V: V(K +, m, s) = accept or reject services: message authentication and integrity protection: ater successul veriication o the signature, the receiver is assured that the message has been generated by the sender and it has not been altered non-repudiation o origin: the receiver can prove this to a third party (hence the sender cannot repudiate) examples: RSA, DSA, ECDSA (shorter key and signature length!) Protocols (message authentication, session key establishment) 14
8 Hash-and-sign paradigm public/private key operations are slow increase eiciency by signing the hash o the message instead o the message it is essential that the hash unction is collision resistant (why?) generation private key o sender message hash signature h enc enc veriication message h h hash compare compare yes/no dec dec public key o sender signature Protocols (message authentication, session key establishment) 15 Security o digital signature schemes as in the case o public-key encryption, security is usually related to the diiculty o solving the underlying hard problems attack objectives: existential orgery attacker is able to compute a valid signature or at least one message selective orgery attacker is able to compute valid signatures or a particular class o messages total break the attacker is able to orge signatures or all messages or he can deduce the private key attack models: key-only attack known-message attack (adaptive) chosen-message attack Protocols (message authentication, session key establishment) 16
9 RSA signature scheme key pair generation same as or RSA encryption: public key is (n, e), private key is d signature generation (input: m, d; output: σ) compute µ = h(m) (PKCS #1 ormatting) compute σ = µ d mod n signature veriication (input: m, σ, (n, e); output: yes/no) compute µ = σ e mod n (PKCS #1 processing, reject i µ is not well ormatted) compute µ = h(m) compare µ and µ i they match, then output yes (accept) otherwise, output no (reject) Protocols (message authentication, session key establishment) 17 Management requirements or key pairs RSA has the interesting property that the same key pair can be used or both encryption and digital signature however, such double use o key-pairs is not advisable; users should have dierent key-pairs or dierent applications the main reason is in the dierence in key management requirements digital signature private key should never leave the key owner s system private key doesn t need back up and archive (why?) public key (certiicate) needs to be archived encryption private key oten needs to be backed up and archived (why?) public key usually doesn t need to be archived the two applications have conlicting requirements Protocols (message authentication, session key establishment) 18
10 Session key establishment protocols -- Motivations and design objectives -- Basic concepts and techniques -- Key transport and key agreement protocols -- Password based key exchange (c) Levente Buttyán Motivation communicating parties must share a secret key in order to use symmetric key cryptographic algorithms (e.g., block ciphers, stream ciphers, and MAC unctions) it is desired that a dierent shared key is established or each communication session session key to ensure independence across sessions to avoid long-term storage o a large number o shared keys to limit the number o ciphertexts available or cryptanalysis we need mechanisms that allow two (or more) remote parties to set up a shared secret in a dynamic (on-demand) manner session key establishment protocols Protocols (message authentication, session key establishment) 20
11 Design objectives at the end o the protocol Alice and Bob should learn the value o the session key K (eectiveness) no other parties (with the possible exception o a trusted third party) should know the value o K (implicit key authentication) Alice and Bob should believe that K is reshly generated (key reshness) optionally, Alice should believe that Bob knows the key K, and vice versa (key conirmation) Protocols (message authentication, session key establishment) 21 Adversary model the underlying cryptographic primitives used in the protocol are secure however, the adversary may obtain old session keys the adversary has ull control over the communications o the honest parties can eavesdrop, modiy, delete, inject, and replay messages can coerce honest parties to engage into protocol runs the adversary may be a legitimate protocol participant (an insider), or an external party (an outsider), or the combination o both Protocols (message authentication, session key establishment) 22
12 Basic classiication o protocols key transport protocols one party (typically a trusted third party) creates a new session key, and securely transers it to the other parties key agreement protocols the session key is derived by the parties as a unction o inormation contributed by each, such that no party can predetermine the resulting value o the key Protocols (message authentication, session key establishment) 23 First attempt or a key transport protocol Alice Server Bob A, B K generate K A, K most obvious problem: the adversary can eavesdrop K implicit key authentication is not provided Protocols (message authentication, session key establishment) 24
13 Second attempt Alice Server Bob A, B E Kas (K), E Kbs (K) generate K A, E Kbs (K) problems: Alice cannot be sure that K has been created or the session between hersel and Bob similarly, Bob cannot be sure that he shares K with Alice implicit key authentication is still not provided Protocols (message authentication, session key establishment) 25 An attack against the second attempt Alice A, B Mallory (intercepted by Mallory) Server Bob M, A E Kas (K), garbage A, garbage generate K E Kms (K), E Kas (K) (intended or Bob, but intercepted by Mallory) notes: typical man-in-the-middle (MitM) attack Alice believes that she shares K with Bob, but she shares it with the adversary derived design principle: i the name o a party is essential to the meaning o a message, then it must be mentioned explicitly in the message Protocols (message authentication, session key establishment) 26
14 Third attempt Alice Server Bob A, B generate K E Kas (B K), E Kbs (A K) E Kbs (A K) problem: neither Alice nor Bob can be sure that K is resh no key reshness is provided Protocols (message authentication, session key establishment) 27 An attack against the third attempt Alice Mallory Bob A, B E Kas (B K), E Kbs (A K) E Kbs (A K) notes: typical replay attack i K is compromised by the adversary, then she can decrypt ollow-up communications between Alice and Bob even i K is not compromised, the adversary can replay encrypted messages to Alice and Bob rom the past session where K was used Protocols (message authentication, session key establishment) 28
15 How to achieve reshness? use timestamps use random nonces (nonce = number used once) use a key agreement protocol Protocols (message authentication, session key establishment) 29 Timestamps E Kas (B K T s ), where T s is the current time on the clock o S key is accepted only i the timestamp is within an acceptable window o the current time at the receiver can provide strong assurances, but requires synchronized clocks important warning: i a party s clock is advanced, then (s)he may generate messages that will be considered resh in the uture (although they may be dropped near the time o their generation) Protocols (message authentication, session key establishment) 30
16 Random nonces E Kas (B K N A ), where N A is a resh and unpredictable random number generated by A (and sent to S beorehand) key is accepted only i the time that elapsed between sending the nonce and receiving the message containing the nonce is acceptably short less precise than a timestamp (exact time o key generation is not known), but it provides suicient guarantees o reshness in most practical cases it requires an extra message to send the nonce, and some temporary state to store the nonce or veriication purposes Protocols (message authentication, session key establishment) 31 Random nonces important warning: i nonces were predictable, the adversary could obtain a message containing a uture nonce o Alice, which would later be considered as resh by Alice Alice Mallory Server A, B, N A E Kas (B K N A ), T T A t A, B, N A E Kas (B K N A ), Alice believes that the key is younger than T A -t, while in act, it is older than T A -T Protocols (message authentication, session key establishment) 32
17 Key reshness in key agreement protocols K = (k A, k B ), where k A and k B are the contributions o Alice and Bob, respectively i (x,.) is a one-way unction (or any x), then once Alice has chosen k A, Bob cannot ind any k B, such that (k A, k B ) has a pre-speciied value (e.g., an old session key) similarly, i (., y) is a one-way unction (or any y), then once Bob has chosen k B, Alice cannot ind any k A, such that (k A, k B ) has a pre-speciied value i the contribution o a party is resh, then (s)he can be sure that the resulting session key is resh too Protocols (message authentication, session key establishment) 33 Fourth attempt Alice Server Bob A, B, N A generate K E Kas (B K N A E Kbs (A K)) E Kbs (A K) N B E K (A B K N B ) notes: nested encryption provides key conirmation or Bob this protocol is similar to the well-known Needham-Schroeder protocol (symmetric key) seemingly correct, but Protocols (message authentication, session key establishment) 34
18 An attack against the ourth attempt Mallory E Kbs (A K) N B E K (A B K N B ) Bob notes: K is an old session key that is compromised by the adversary E Kbs (A K) is replayed rom the old protocol run (where K was established as the session key) Bob will believe that he established a session with A, but A is not present derived design principles: the act that a key K is used recently to encrypt a message does not mean that K is resh when proving the reshness o a key K by binding it to some resh data (timestamp or nonce), don t use K itsel or the binding Protocols (message authentication, session key establishment) 35 Fith attempt Alice Bob Server A, N A A, N A, B, N B generate K E Kas (B K N A ) E Kas (B K N A ), E Kbs (A K N B ) any problems? Protocols (message authentication, session key establishment) 36
19 Protocol engineering checklist be explicit interpretation o messages shouldn t depend on context inormation, but it should be based solely on the content o the messages include names that are needed to correctly interpret the message consider including protocol type, run identiier, and message number to avoid protocol intererence, interleaving, and message relection attacks, respectively think twice about key reshness decide on how you want to ensure key reshness or the dierent participants consider the advantages and disadvantages o nonces and timestamps in a given application environment state assumptions explicitly state all the assumptions on which the security o your protocol depends so that someone who wants to use your protocol can veriy i they hold in a given application environment Protocols (message authentication, session key establishment) 37 Key agreement with the Diie-Hellman protocol summary: a key agreement protocol based on one-way unctions; in particular, security o the protocol is based on the hardness o the discrete logarithm problem and that o the Diie-Hellman problem assumptions: p is a large prime, g is a generator o Z p*, both are publicly known system parameters Alice Bob select random x compute g x mod p g x mod p g y mod p select random y compute g y mod p compute k = (g y ) x mod p compute k = (g x ) y mod p characteristics: NO AUTHENTICATION, key reshness with randomly selected exponents, no party can control the key, no need or a trusted third party Protocols (message authentication, session key establishment) 38
20 The Station-to-Station protocol summary: three-pass variation o the basic Diie-Hellman protocol; it uses digital signatures to provide mutual entity authentication and mutual explicit key authentication Alice Bob select random x compute g x mod p g x mod p g y mod p, E k (S Kb (g y, g x )) select random y compute g y mod p compute k = (g x ) y mod p compute k = (g y ) x mod p E k (S Ka (g x, g y )) characteristics: mutual entity authentication, mutual explicit key authentication, key reshness with random exponents, no party can control the key, o-line third party or issuing public key certiicates may be required, initial exchange o public keys between the parties may be required Protocols (message authentication, session key establishment) 39 Password based key exchange assume that two parties (e.g., a user and a server) share a password (relatively weak secret) how to set up a cryptographic key (strong secret) with the help o this password? Protocols (message authentication, session key establishment) 40
21 A naïve solution Alice can generate a key K and encrypt it with the password pwd (or its hash value): A B : A, E H(pwd) (K) Bob can use the hash o the password to obtain K rom E H(pwd) (K), and then use K to encrypt messages or Alice or example: B A : E K ( Last login at 16:34, Monday ) Protocols (message authentication, session key establishment) 41 The problem (key reshness is not provided by the naïve protocol, but it could be added by including a timestamp) i a weak password is used, then the naïve solution is vulnerable to an o-line dictionary attack: assume that the attacker eavesdropped a protocol run or each candidate password pwd?, compute the candidate key K? = D H(pwd?) (E H(pwd) (K)) test K? by checking i D K? (E K ( Last login )) is a meaningul message i so, then pwd? is Alice s password, otherwise throw away pwd? and try a new candidate password rom the dictionary Protocols (message authentication, session key establishment) 42
22 Encrypted Key Exchange (EKE) the basic idea Alice generates a public key / private key pair K + and K -, and encrypts K + with the (hash o the) password pwd: A B : A, E H(pwd) (K + ) Bob uses the (hash o the) password to obtain K +, then generates a (symmetric) key K, and encrypts it with K + in the public key cryptosystem; the result is urther encrypted with the (hash o the) password: B A : E H(pwd) (AE K+ (K)) Alice uses the (hash o the) password and K - to obtain K rom E H(pwd) (AE K+ (K)); then she can use K to send messages to Bob: A B : E K ( Last login at 16:34, Monday ) Protocols (message authentication, session key establishment) 43 Why is this good? or a candidate password pwd?, the attacker can compute a candidate public key K +? as D H(pwd?) (E H(pwd) (K + )) but K +? cannot really be tested the attacker needs to ind a key K? such that AE K+? (K?) = D H(pwd?) (E H(pwd) (AE K+ (K))) D K? (E K ( Last login )) makes sense both would require an exhaustive search over the key space rom which K is chosen (or breaking the symmetric or the asymmetric cipher) the relatively small space o passwords is thus multiplied by the large key space rom which K is chosen (privacy ampliication eect) Protocols (message authentication, session key establishment) 44
23 What about key reshness? as Bob generates K, key reshness is provided or Bob or Alice K + is resh, and this guarantees reshness o K through the encryption AE K+ (K) (assuming that Alice trusts Bob or generating resh session keys) Alice can conclude that someone who knows the password (which can only be Bob) has recently sent K to the other holder o the password (which can only be Alice) Protocols (message authentication, session key establishment) 45
Session key establishment protocols
our task is to program a computer which gives answers which are subtly and maliciously wrong at the most inconvenient possible moment. -- Ross Anderson and Roger Needham, Programming Satan s computer Session
More informationSession key establishment protocols
our task is to program a computer which gives answers which are subtly and maliciously wrong at the most inconvenient possible moment. -- Ross Anderson and Roger Needham, Programming Satan s computer Session
More informationAppendix A: Introduction to cryptographic algorithms and protocols
Security and Cooperation in Wireless Networks http://secowinet.epfl.ch/ Appendix A: Introduction to cryptographic algorithms and protocols 2007 Levente Buttyán and Jean-Pierre Hubaux symmetric and asymmetric
More informationData Integrity. Modified by: Dr. Ramzi Saifan
Data Integrity Modified by: Dr. Ramzi Saifan Encryption/Decryption Provides message confidentiality. Does it provide message authentication? 2 Message Authentication Bob receives a message m from Alice,
More informationLecture 1: Course Introduction
Lecture 1: Course Introduction Thomas Johansson T. Johansson (Lund University) 1 / 37 Chapter 9: Symmetric Key Distribution To understand the problems associated with managing and distributing secret keys.
More informationCryptographic Checksums
Cryptographic Checksums Mathematical function to generate a set of k bits from a set of n bits (where k n). k is smaller then n except in unusual circumstances Example: ASCII parity bit ASCII has 7 bits;
More informationCristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.
CS355: Cryptography Lecture 17: X509. PGP. Authentication protocols. Key establishment. Public Keys and Trust Public Key:P A Secret key: S A Public Key:P B Secret key: S B How are public keys stored How
More informationCS 161 Computer Security
Paxson Spring 2017 CS 161 Computer Security Discussion 6 Week of March 6, 2017 Question 1 Password Hashing (10 min) When storing a password p for user u, a website randomly generates a string s (called
More informationLecture 1 Applied Cryptography (Part 1)
Lecture 1 Applied Cryptography (Part 1) Patrick P. C. Lee Tsinghua Summer Course 2010 1-1 Roadmap Introduction to Security Introduction to Cryptography Symmetric key cryptography Hash and message authentication
More informationCSCE 715: Network Systems Security
CSCE 715: Network Systems Security Chin-Tser Huang huangct@cse.sc.edu University of South Carolina Next Topic in Cryptographic Tools Symmetric key encryption Asymmetric key encryption Hash functions and
More informationCSC 774 Network Security
CSC 774 Network Security Topic 2. Review of Cryptographic Techniques CSC 774 Dr. Peng Ning 1 Outline Encryption/Decryption Digital signatures Hash functions Pseudo random functions Key exchange/agreement/distribution
More informationL13. Reviews. Rocky K. C. Chang, April 10, 2015
L13. Reviews Rocky K. C. Chang, April 10, 2015 1 Foci of this course Understand the 3 fundamental cryptographic functions and how they are used in network security. Understand the main elements in securing
More informationCryptographic Hash Functions
ECE458 Winter 2013 Cryptographic Hash Functions Dan Boneh (Mods by Vijay Ganesh) Previous Lectures: What we have covered so far in cryptography! One-time Pad! Definition of perfect security! Block and
More informationComputer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08r. Pre-exam 2 Last-minute Review Cryptography Paul Krzyzanowski Rutgers University Spring 2018 March 26, 2018 CS 419 2018 Paul Krzyzanowski 1 Cryptographic Systems March 26, 2018 CS
More informationCSC/ECE 774 Advanced Network Security
Computer Science CSC/ECE 774 Advanced Network Security Topic 2. Network Security Primitives CSC/ECE 774 Dr. Peng Ning 1 Outline Absolute basics Encryption/Decryption; Digital signatures; D-H key exchange;
More informationUNIT - IV Cryptographic Hash Function 31.1
UNIT - IV Cryptographic Hash Function 31.1 31-11 SECURITY SERVICES Network security can provide five services. Four of these services are related to the message exchanged using the network. The fifth service
More informationSummary on Crypto Primitives and Protocols
Summary on Crypto Primitives and Protocols Levente Buttyán CrySyS Lab, BME www.crysys.hu 2015 Levente Buttyán Basic model of cryptography sender key data ENCODING attacker e.g.: message spatial distance
More informationData Security and Privacy. Topic 14: Authentication and Key Establishment
Data Security and Privacy Topic 14: Authentication and Key Establishment 1 Announcements Mid-term Exam Tuesday March 6, during class 2 Need for Key Establishment Encrypt K (M) C = Encrypt K (M) M = Decrypt
More informationCS408 Cryptography & Internet Security
CS408 Cryptography & Internet Security Lecture 18: Cryptographic hash functions, Message authentication codes Functions Definition Given two sets, X and Y, a function f : X Y (from set X to set Y), is
More informationCryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1
Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography CS555 Spring 2012/Topic 16 1 Outline and Readings Outline Private key management between two parties Key management
More informationApplied Cryptography and Computer Security CSE 664 Spring 2017
Applied Cryptography and Computer Security Lecture 18: Key Distribution and Agreement Department of Computer Science and Engineering University at Buffalo 1 Key Distribution Mechanisms Secret-key encryption
More informationCSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography
CSCI 454/554 Computer and Network Security Topic 5.2 Public Key Cryptography Outline 1. Introduction 2. RSA 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard 2 Introduction Public Key Cryptography
More informationKey Agreement. Guilin Wang. School of Computer Science, University of Birmingham
Key Agreement Guilin Wang School of Computer Science, University of Birmingham G.Wang@cs.bham.ac.uk 1 Motivations As we know, symmetric key encryptions are usually much more efficient than public key encryptions,
More information9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers
Cryptography Basics IT443 Network Security Administration Slides courtesy of Bo Sheng Basic concepts in cryptography systems Secret cryptography Public cryptography 1 2 Encryption/Decryption Cryptanalysis
More informationOutline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA
CSCI 454/554 Computer and Network Security Topic 5.2 Public Key Cryptography 1. Introduction 2. RSA Outline 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard 2 Introduction Public Key Cryptography
More informationCSE 127: Computer Security Cryptography. Kirill Levchenko
CSE 127: Computer Security Cryptography Kirill Levchenko October 24, 2017 Motivation Two parties want to communicate securely Secrecy: No one else can read messages Integrity: messages cannot be modified
More informationThis chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest
1 2 3 This chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest PKCS, Diffie- Hellman key exchange. This first published
More informationCryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng
Cryptography Basics IT443 Network Security Administration Slides courtesy of Bo Sheng 1 Outline Basic concepts in cryptography systems Secret key cryptography Public key cryptography Hash functions 2 Encryption/Decryption
More informationOutline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)
Outline AIT 682: Network and Systems Security 1. Introduction 2. RSA 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard Topic 5.2 Public Key Cryptography Instructor: Dr. Kun Sun 2 Public Key
More informationT Cryptography and Data Security
T-79.4501 Cryptography and Data Security Lecture 10: 10.1 Random number generation 10.2 Key management - Distribution of symmetric keys - Management of public keys Stallings: Ch 7.4; 7.3; 10.1 1 The Use
More informationSpring 2010: CS419 Computer Security
Spring 2010: CS419 Computer Security Vinod Ganapathy Lecture 7 Topic: Key exchange protocols Material: Class handout (lecture7_handout.pdf) Chapter 2 in Anderson's book. Today s agenda Key exchange basics
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Chapter 1: Overview What is Cryptography? Cryptography is the study of
More informationCSC 474/574 Information Systems Security
CSC 474/574 Information Systems Security Topic 2.1 Introduction to Cryptography CSC 474/574 By Dr. Peng Ning 1 Cryptography Cryptography Original meaning: The art of secret writing Becoming a science that
More informationDigital Signatures. Luke Anderson. 7 th April University Of Sydney.
Digital Signatures Luke Anderson luke@lukeanderson.com.au 7 th April 2017 University Of Sydney Overview 1. Digital Signatures 1.1 Background 1.2 Basic Operation 1.3 Attack Models Replay Naïve RSA 2. PKCS#1
More informationUnit III. Chapter 1: Message Authentication and Hash Functions. Overview:
Unit III Chapter 1: Message Authentication and Hash Functions Overview: Message authentication is a mechanism or service used to verify the integrity of a message. Message authentication assures that data
More informationIntroduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell
Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell 1 Cryptography Merriam-Webster Online Dictionary: 1. secret writing 2. the enciphering and deciphering
More informationLecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena
Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall 2009 Nitesh Saxena *Adopted from a previous lecture by Gene Tsudik Course Admin HW3 Problem 3 due Friday midnight
More informationCSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L
CS 3461/5461: Introduction to Computer Networking and Internet Technologies Network Security Study: 21.1 21.5 Kannan Srinivasan 11-27-2012 Security Attacks, Services and Mechanisms Security Attack: Any
More informationCryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 38 A Tutorial on Network Protocols
More informationKey Exchange. References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings
Key Exchange References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings Outlines Primitives Root Discrete Logarithm Diffie-Hellman ElGamal Shamir s Three Pass
More informationWhat did we talk about last time? Public key cryptography A little number theory
Week 4 - Friday What did we talk about last time? Public key cryptography A little number theory If p is prime and a is a positive integer not divisible by p, then: a p 1 1 (mod p) Assume a is positive
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 4, 2017 CPSC 467, Lecture 11 1/39 ElGamal Cryptosystem Message Integrity and Authenticity Message authentication codes
More informationElements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy
Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy Homework 2 Due: Friday, 10/28/2016 at 11:55pm PT Will be posted on
More informationCS Computer Networks 1: Authentication
CS 3251- Computer Networks 1: Authentication Professor Patrick Traynor 4/14/11 Lecture 25 Announcements Homework 3 is due next class. Submit via T-Square or in person. Project 3 has been graded. Scores
More information2.1 Basic Cryptography Concepts
ENEE739B Fall 2005 Part 2 Secure Media Communications 2.1 Basic Cryptography Concepts Min Wu Electrical and Computer Engineering University of Maryland, College Park Outline: Basic Security/Crypto Concepts
More informationCSCI 454/554 Computer and Network Security. Topic 2. Introduction to Cryptography
CSCI 454/554 Computer and Network Security Topic 2. Introduction to Cryptography Outline Basic Crypto Concepts and Definitions Some Early (Breakable) Cryptosystems Key Issues 2 Basic Concepts and Definitions
More informationKey Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature
Key Management Digital signatures: classical and public key Classic and Public Key exchange 1 Handwritten Signature Used everyday in a letter, on a check, sign a contract A signature on a signed paper
More informationCIS 4360 Secure Computer Systems Applied Cryptography
CIS 4360 Secure Computer Systems Applied Cryptography Professor Qiang Zeng Spring 2017 Symmetric vs. Asymmetric Cryptography Symmetric cipher is much faster With asymmetric ciphers, you can post your Public
More informationPretty Good Privacy (PGP)
Pretty Good Privacy (PGP) -- PGP services -- PGP key management (c) Levente Buttyán (buttyan@crysys.hu) What is PGP? general purpose application to protect (encrypt and/or sign) files can be used to protect
More informationIssues. Separation of. Distributed system security. Security services. Security policies. Security mechanism
Module 9 - Security Issues Separation of Security policies Precise definition of which entities in the system can take what actions Security mechanism Means of enforcing that policy Distributed system
More informationSpring 2010: CS419 Computer Security
Spring 2010: CS419 Computer Security MAC, HMAC, Hash functions and DSA Vinod Ganapathy Lecture 6 Message Authentication message authentication is concerned with: protecting the integrity of a message validating
More informationDigital Signatures. Public-Key Signatures. Arbitrated Signatures. Digital Signatures With Encryption. Terminology. Message Authentication Code (MAC)
Message Authentication Code (MAC) Key-dependent one-way hash function Only someone with a correct key can verify the hash value Easy way to turn one-way hash function into MAC is to encrypt hash value
More informationOutline. Cryptography. Encryption/Decryption. Basic Concepts and Definitions. Cryptography vs. Steganography. Cryptography: the art of secret writing
Outline CSCI 454/554 Computer and Network Security Basic Crypto Concepts and Definitions Some Early (Breakable) Cryptosystems Key Issues Topic 2. Introduction to Cryptography 2 Cryptography Basic Concepts
More informationMessage Authentication Codes and Cryptographic Hash Functions
Message Authentication Codes and Cryptographic Hash Functions Readings Sections 2.6, 4.3, 5.1, 5.2, 5.4, 5.6, 5.7 1 Secret Key Cryptography: Insecure Channels and Media Confidentiality Using a secret key
More informationIntegrity of messages
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 106 Integrity of messages Goal: Ensure change of message by attacker can be detected Key tool: Cryptographic hash function Definition
More informationUnit 8 Review. Secure your network! CS144, Stanford University
Unit 8 Review Secure your network! 1 Basic Problem Internet To first approximation, attackers control the network Can snoop, replay, suppress, send How do we defend against this? Communicate securely despite
More informationCryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology
Cryptography & Key Exchange Protocols Faculty of Computer Science & Engineering HCMC University of Technology Outline 1 Cryptography-related concepts 2 3 4 5 6 7 Key channel for symmetric cryptosystems
More informationIntroduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms
Introduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms Egemen K. Çetinkaya Egemen K. Çetinkaya Department of Electrical & Computer Engineering Missouri University of
More informationKey Establishment and Authentication Protocols EECE 412
Key Establishment and Authentication Protocols EECE 412 1 where we are Protection Authorization Accountability Availability Access Control Data Protection Audit Non- Repudiation Authentication Cryptography
More informationCryptographic Hash Functions. Rocky K. C. Chang, February 5, 2015
Cryptographic Hash Functions Rocky K. C. Chang, February 5, 2015 1 This set of slides addresses 2 Outline Cryptographic hash functions Unkeyed and keyed hash functions Security of cryptographic hash functions
More information(2½ hours) Total Marks: 75
(2½ hours) Total Marks: 75 N. B.: (1) All questions are compulsory. (2) Makesuitable assumptions wherever necessary and state the assumptions made. (3) Answers to the same question must be written together.
More information1 Identification protocols
ISA 562: Information Security, Theory and Practice Lecture 4 1 Identification protocols Now that we know how to authenticate messages using MACs, a natural question is, how can we use MACs to prove that
More informationKurose & Ross, Chapters (5 th ed.)
Kurose & Ross, Chapters 8.2-8.3 (5 th ed.) Slides adapted from: J. Kurose & K. Ross \ Computer Networking: A Top Down Approach (5 th ed.) Addison-Wesley, April 2009. Copyright 1996-2010, J.F Kurose and
More informationSymmetric Encryption
Symmetric Encryption Ahmed Y. Banihammd & Ihsan, ALTUNDAG Mon November 5, 2007 Advanced Cryptography 1st Semester 2007-2008 University Joseph Fourrier, Verimag Master Of Information Security And Coding
More informationCS Protocol Design. Prof. Clarkson Spring 2017
CS 5430 Protocol Design Prof. Clarkson Spring 2017 Review Cryptography: Encryption, block ciphers, block cipher modes, MACs, cryptographic hash functions, digital signatures, authenticated encryption,
More informationDistributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015
Distributed Systems 26. Cryptographic Systems: An Introduction Paul Krzyzanowski Rutgers University Fall 2015 1 Cryptography Security Cryptography may be a component of a secure system Adding cryptography
More information1. Diffie-Hellman Key Exchange
e-pgpathshala Subject : Computer Science Paper: Cryptography and Network Security Module: Diffie-Hellman Key Exchange Module No: CS/CNS/26 Quadrant 1 e-text Cryptography and Network Security Objectives
More informationCIS 4360 Secure Computer Systems Symmetric Cryptography
CIS 4360 Secure Computer Systems Symmetric Cryptography Professor Qiang Zeng Spring 2017 Previous Class Classical Cryptography Frequency analysis Never use home-made cryptography Goals of Cryptography
More informationECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos
ECE596C: Handout #9 Authentication Using Shared Secrets Electrical and Computer Engineering, University of Arizona, Loukas Lazos Abstract. In this lecture we introduce the concept of authentication and
More informationCS 161 Computer Security
Raluca Popa Spring 2018 CS 161 Computer Security Homework 2 Due: Wednesday, February 14, at 11:59pm Instructions. This homework is due Wednesday, February 14, at 11:59pm. No late homeworks will be accepted.
More informationIntroduction to Cryptography. Lecture 6
Introduction to Cryptography Lecture 6 Benny Pinkas page 1 1 Data Integrity, Message Authentication Risk: an active adversary might change messages exchanged between Alice and Bob M Alice M M M Bob Eve
More informationChapter 9: Key Management
Chapter 9: Key Management Session and Interchange Keys Key Exchange Cryptographic Key Infrastructure Storing and Revoking Keys Digital Signatures Slide #9-1 Overview Key exchange Session vs. interchange
More informationAPNIC elearning: Cryptography Basics
APNIC elearning: Cryptography Basics 27 MAY 2015 03:00 PM AEST Brisbane (UTC+10) Issue Date: Revision: Introduction Presenter Sheryl Hermoso Training Officer sheryl@apnic.net Specialties: Network Security
More informationPublic-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7
Public-Key Cryptography Professor Yanmin Gong Week 3: Sep. 7 Outline Key exchange and Diffie-Hellman protocol Mathematical backgrounds for modular arithmetic RSA Digital Signatures Key management Problem:
More informationEncryption. INST 346, Section 0201 April 3, 2018
Encryption INST 346, Section 0201 April 3, 2018 Goals for Today Symmetric Key Encryption Public Key Encryption Certificate Authorities Secure Sockets Layer Simple encryption scheme substitution cipher:
More informationData Integrity & Authentication. Message Authentication Codes (MACs)
Data Integrity & Authentication Message Authentication Codes (MACs) Goal Ensure integrity of messages, even in presence of an active adversary who sends own messages. Alice (sender) Bob (receiver) Fran
More informationSecurity Handshake Pitfalls
Security Handshake Pitfalls Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr 1 Cryptographic Authentication Password authentication is subject to eavesdropping Alternative: Cryptographic challenge-response
More informationChapter 9 Public Key Cryptography. WANG YANG
Chapter 9 Public Key Cryptography WANG YANG wyang@njnet.edu.cn Content Introduction RSA Diffie-Hellman Key Exchange Introduction Public Key Cryptography plaintext encryption ciphertext decryption plaintext
More informationMessage authentication codes
Message authentication codes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Introduction security of MAC Constructions block cipher
More informationCOMP4109 : Applied Cryptography
COMP4109 : Applied Cryptography Fall 2013 M. Jason Hinek Carleton University Applied Cryptography Day 2 information security cryptographic primitives unkeyed primitives NSA... one-way functions hash functions
More informationProtocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh
Protocols II Computer Security Lecture 12 David Aspinall School of Informatics University of Edinburgh 17th February 2011 Outline Introduction Shared-key Authentication Asymmetric authentication protocols
More informationBasic Concepts and Definitions. CSC/ECE 574 Computer and Network Security. Outline
CSC/ECE 574 Computer and Network Security Topic 2. Introduction to Cryptography 1 Outline Basic Crypto Concepts and Definitions Some Early (Breakable) Cryptosystems Key Issues 2 Basic Concepts and Definitions
More informationSymmetric Encryption 2: Integrity
http://wwmsite.wpengine.com/wp-content/uploads/2011/12/integrity-lion-300x222.jpg Symmetric Encryption 2: Integrity With material from Dave Levin, Jon Katz, David Brumley 1 Summing up (so far) Computational
More informationComputer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 10r. Recitation assignment & concept review Paul Krzyzanowski Rutgers University Spring 2018 April 3, 2018 CS 419 2018 Paul Krzyzanowski 1 1. What is a necessary condition for perfect
More information1 Defining Message authentication
ISA 562: Information Security, Theory and Practice Lecture 3 1 Defining Message authentication 1.1 Defining MAC schemes In the last lecture we saw that, even if our data is encrypted, a clever adversary
More informationGrenzen der Kryptographie
Microsoft Research Grenzen der Kryptographie Dieter Gollmann Microsoft Research 1 Summary Crypto does not solve security problems Crypto transforms security problems Typically, the new problems relate
More informationIdentification Schemes
Identification Schemes Lecture Outline Identification schemes passwords one-time passwords challenge-response zero knowledge proof protocols Authentication Data source authentication (message authentication):
More informationPublic Key Algorithms
CSE597B: Special Topics in Network and Systems Security Public Key Cryptography Instructor: Sencun Zhu The Pennsylvania State University Public Key Algorithms Public key algorithms RSA: encryption and
More informationInformation Security CS 526
Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication Topic 14: Secure Communication 1 Readings for This Lecture On Wikipedia Needham-Schroeder protocol (only the symmetric
More informationModule: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security
CMPSC443 - Introduction to Computer and Network Security Module: Cryptographic Protocols Professor Patrick McDaniel Spring 2009 1 Key Distribution/Agreement Key Distribution is the process where we assign
More informationL7: Key Distributions. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806
L7: Key Distributions Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806 9/16/2015 CSCI 451 - Fall 2015 1 Acknowledgement Many slides are from or are
More informationTest 2 Review. (b) Give one significant advantage of a nonce over a timestamp.
Test 2 Review Name Student ID number Notation: {X} Bob Apply Bob s public key to X [Y ] Bob Apply Bob s private key to Y E(P, K) Encrypt P with symmetric key K D(C, K) Decrypt C with symmetric key K h(x)
More informationSecurity Handshake Pitfalls
Cryptographic Authentication Security Handshake Pitfalls Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr Password authentication is subject to eavesdropping Alternative: Cryptographic challenge-response
More informationPROTECTING CONVERSATIONS
PROTECTING CONVERSATIONS Basics of Encrypted Network Communications Naïve Conversations Captured messages could be read by anyone Cannot be sure who sent the message you are reading Basic Definitions Authentication
More informationDavid Wetherall, with some slides from Radia Perlman s security lectures.
David Wetherall, with some slides from Radia Perlman s security lectures. djw@cs.washington.edu Networks are shared: Want to secure communication between legitimate participants from others with (passive
More informationFrom Coulouris, Dollimore and Kindberg Distributed Systems: Concepts and Design. Edition 4 Pearson Education 2005
Chapter 7: Security From Coulouris, Dollimore and Kindberg Distributed Systems: Concepts and Design Edition 4 Introduction Security policies Provide for the sharing of resources within specified limits
More information10/1/2015. Authentication. Outline. Authentication. Authentication Mechanisms. Authentication Mechanisms. Authentication Mechanisms
Authentication IT443 Network Security Administration Instructor: Bo Sheng Authentication Mechanisms Key Distribution Center and Certificate Authorities Session Key 1 2 Authentication Authentication is
More informationPassword. authentication through passwords
Password authentication through passwords Human beings Short keys; possibly used to generate longer keys Dictionary attack: adversary tries more common keys (easy with a large set of users) Trojan horse
More informationOverview. Cryptographic key infrastructure Certificates. May 13, 2004 ECS 235 Slide #1. Notation
Overview Key exchange Session vs. interchange keys Classical, public key methods Key generation Cryptographic key infrastructure Certificates Key storage Key escrow Key revocation Digital signatures May
More informationCrypto Background & Concepts SGX Software Attestation
CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 Lecture 4b Slide deck extracted from Kamran s tutorial on SGX, presented during ECE 6095 Spring 2017 on Secure Computation and Storage, a precursor to this course
More information