Key Agreement. Guilin Wang. School of Computer Science, University of Birmingham
|
|
- Grant Little
- 5 years ago
- Views:
Transcription
1 Key Agreement Guilin Wang School of Computer Science, University of Birmingham 1 Motivations As we know, symmetric key encryptions are usually much more efficient than public key encryptions, especially in the aspect of computational complexity. Therefore, to send a (large) message M the following diagram is often used. 1. A B : Enc P KB (K), E K (M). (1) Here, A and B are the identities of the two communicating parties, Alice and Bob. Enc P KB ( ) is the public key encryption algorithm with respect to Bob s public key P K B, while E K ( ) denotes a symmetric encryption algorithm associated with a session key K. After receiving the expected information from Alice, Bob first decrypts Enc P KB (K) to get the session key K using his private key SK B, and then derives the message M from E K (M) using K. The above scheme looks good, but it has some limitations in practice. (a) If the receiver Bob does not have a public key at all, do we have any other approaches that allow Alice and Bob to agree on a session key K? For example, most of ordinary Internet users have no any certified public key nowadays. (b) If the sender Alice wants to send a message to a group of n receivers, is there any more efficient solution, instead of encrypting the same session key to each receiver individually? 2 Introduction Our topic today is key agreement, or key establishment, a little wider concept. Let us first give some basic definitions. Definition 1 [5]. Key establishment is a process or protocol that enables two or more parties to share a secret session key, which can be used for subsequent secure communications. Roughly speaking, key establishment schemes can be classified into key transport and key agreement, according to whether the key is determined by one party or all parties. Definition 2 [5]. A key transport protocol or mechanism is a key establishment technique where one party creates or obtains a secret key, and then securely transfers it to the other(s). Definition 3 [5]. A key agreement protocol or mechanism is a key establishment technique in which a shared secret key is derived by two (or more) parties as a function of information contributed by, or associated with, each of these, (ideally) such that no party can predetermine the resulting value.
2 2 The School of Computer Science, University of Birmingham 2.1 The Diffie-Hellman Protocol The first solution of key agreement is the Diffie-Hellman (DH) protocol [3], also called exponential key exchange. This protocol allows two parties to agree on a shared session key by exchanging two messages over a public (so insecure) network, though they may never know each other before or share any secret in advance. To run the protocol, it is assumed that a large prime p has been properly chosen and published, together with a generator g of large prime order q modulo p. That is, q is the least positive integer such that g q = 1 mod p, g Z p. In practice, we may select primes p and q such that p = 1024 and q = A B : K x = g x mod p 2. B A : K y = g y mod p Output : K xy = (K x ) y mod p = (K y ) x mod p = g xy mod p. (2) Here is the detailed description of the above protocol. To negotiate with Bob for a session key Alice firs picks a random number x [1, p 2], and sends value K x = g x mod p to Bob. Then, Bob similarly selects a random number y [1, p 2] and returns Alice the value of K y = g y mod p. Finally, Alice derives the session key as K xy = (K y ) x mod p, while Bob obtains the same key by computing K xy = (K x ) y mod p. Note that sometimes we may just treat K xy a raw keying material, from which a real session key is derived. For example, let session key sk = H(K xy A B), where H is a secure hash function. The security of Diffie-Hellman protocol relies on the following computational assumption. Definition 4 (Computational Diffie-Hellman Assumption) (for short, CDH assumption). For properly chosen p, g and q, it is computationally infeasible to derive g xy mod p from values g x mod p and g y mod p, where x and y are random secrets. Remark 1: A related problem is the discrete logarithm assumption (DL assumption). Namely, for properly chosen p, g and q, it is computationally infeasible to derive x from values g x mod p, where x is a random secret. Moreover, it is easy to know that CDH assumption is at least as strong as than DL assumption, since you can break CDH assumption if you already know an algorithm to break DL assumption. However, it is an open problem how to break DL assumption if you can break CDH assumption. CDH assumption looks nice and intractable, but the Diffie-Hellman protocol is not secure in practice, because it is vulnerable to an attack known as Man-in-the-Middle attack. 2.2 Man-in-the-Middle Attack For a third party Cindy, who can control the communications between Alice and Bob, the Man-in-the-Middle Attack (MITM attack) (illustrated in Eq. (4)) can be mounted against the Diffie-Hellman protocol. When Alice initializes a protocol instance by sending K x to Bob, Cindy intercepts this value and impersonates Bob by replying K a to Alice. At the same time, Cindy pretends to be Alice and sends Bob the value K b to initialize another protocol run, and then intercepts the respondence value K y from Bob. The result is that Cindy and Alice share K xa = g xa mod p, Cindy and Bob share K yb = g yb mod p, but Alice and Bob might mistakenly believe that they have successfully agreed on a shared key.
3 Key Agreement: A Guest Lecture, 12 Nov A (B)C : K x = g x mod p 2. C(B) A : K a = g a mod p 1. C(A) B : K b = g b mod p 2. B (A)C : K y = g y mod p (3) The MITM attack may cause severe consequence, since Cindy can unwrap and re-wrap all secure envelopes for the coming communications between Alice and Bob such that they still think everything is ok. So, we want to know why the Diffie-Hellman protocol is not secure, especially without breaking the underlying CDH assumption? The reason is that it does not encompass any authentication mechanism, i.e., no party is sure whether the other communicating party is really the party claimed to be. 2.3 Station-to-Station Protocol To repair the security flaw in the Diffie-Hellman protocol, the following station-to-station (STS) protocol is proposed by Diffie, van Oorschot and Wiener in For simplicity, all modulo p operations have been omitted. 1. A B : g x 2. B A : g y, E K (Sig B (g y, g x )) 3. A B : E K (Sig A (g x, g y )) (4) Output : K xy = (g x ) y = (g y ) x = g xy. To add authentication, the STS protocol requires that both parties have a pair of public keys for signature generation and verification, and know a publicly released symmetric key encryption. In contrast, note that the Diffie-Hellman protocol do not have these assumptions. The first step of STS protocol is the same as in the the Diffie-Hellman protocol. Upon receiving g x, Bob derives the session key by K = (g x ) y by selecting randomness y, and then sends Alice back g y together with his encrypted signature E K (Sig B (g y, g x )) on message (g y, g x ). In step 3, Alice first computes the session key K = (g y ) x, decrypts Sig B (g y, g x ) from E K (Sig B (g y, g x )) by using K, and finally checks whether Sig B (g y, g x ) is Bob s valid signature on message (g y, g x ). If the answer is no, Alice could terminate the protocol execution. Otherwise, Alice sends Bob her encrypted signature E K (Sig A (g x, g y )) on message (g x, g y ). Once E K (Sig A (g x, g y )) is received correctly, Bob knows that Alice has already obtained the secret key K. According to the above description, we can see that in the STS protocol, signatures are used to authenticate a communicating party s identity, while the symmetric encryption associated with the just established session key K is employed to show the knowledge of this session key by encrypting the signatures. 3 More Concepts and Protocols To understand what kinds of threats key agreement protocols in open channels may be subject to, we need to discuss what are the security requirements, and what are the allowed behaviours for an attacker, whose goal is to break one ore more of the security requirements. The following are the main security requirements of key agreement protocols.
4 4 The School of Computer Science, University of Birmingham Definition 5 [5]. We say a key agreement protocol satisfies key authentication, if one party is assured that other than specifically identified parties (including identified trusted parties, if any) it is infeasible for anyone else to derive a particular secret key. Note that key authentication does not guarantee that all parities involved actually possess the secret key. Due to this reason, key authentication is sometimes called implicit key authentication, more precisely. Definition 6 [5]. We say a key agreement protocol satisfies key confirmation, if one party is assured that all other parties (possibly unidentified) actually have possession of a particular secret key. Definition 7 [5]. We say a key agreement protocol satisfies explicit key authentication, if both (implicit) key authentication and key confirmation hold, i.e., only all identified parties actually have possession of a particular secret key. When designing and analyzing security protocols, we assume that all underlying cryptographic mechanisms used are secure. These basic building blocks are usually encryption algorithms, digital signatures, hash functions and so on. Such an assumption is quite reasonable, since one cannot expect a protocol is secure if its underlying cryptographic primitives are flawed. Consequently, the main target of an attacker or adversary against a security protocol is trying to subvert the protocol, instead of cryptanalyzing the underlying cryptographic algorithms. Attackers could be passive or active. A passive attacker attempts to defeat the security requirements of a security protocol by just simply eavesdropping, recording, and then analyzing the data among communicating parties. In contrast, an active attacker has the ability to completely control the communication channel, so it is able to record, alter, delete, insert, redirect, reorder, and reuse past or current messages, and inject new messages [5]. Ideally, we expect a protocol is efficient and secure against active attacks under weakest assumptions. 3.1 Authenticated Key Exchange Protocol In 1994, Bellare and Rogaway proposed a key agreement protocol, called AKEP2 (Authenticated Key Exchange Protocol 2). By assuming that the two parties Alice and Bob share two long-term secret keys k and k, this protocol uses two keyed hash functions H k ( ) and H k ( ) to realize key agreement. 1. A B : N a 2. B A : B, A, N a, N b, H k (B, A, N a, N b ) 3. A B : A, N b, H k (A, N b ) (5) Output : K = H k (N b ). Here, N a and N b are nonces generated by Alice and Bob respectively. Both parties can deduce the final session key as K = H k (N b ). AKEP2 provides mutual entity authentication and (implicit) key authentication. AKEP2 is interesting, but it requires two parties share some secrets in advance. However, this assumption does no hold in some scenarios. For instance, two parties never having communications before want to exchange data someday. In addition, if one user has communications with a lot of people, he/she has to maintain a table for the secrets shared with those people. To avoid these two limitations, the solution is to introduce a trusted sever S by requiring each party to share a distinct secret with the server.
5 Key Agreement: A Guest Lecture, 12 Nov The Needham-Schroeder Protocol The Needham-Schroeder (NS) protocol, proposed in 1978, is essentially a key transport protocol, since the session key is totally selected by a trusted server, or called authentication server. Besides the trusted sever S, the NS protocol also supposes that there is a secure and publicly known symmetric encryption algorithm E for the session key transport and message authentication. 1. A S : A, B, N a 2. S A : E Kas (N a, B, K, E Kbs (K, A)) 3. A B : E Kbs (K, A) 4. B A : E K (N b ) 5. A B : E K (N b 1) (6) Output : K (Session key). Here, N a and N b are nonces. K as and K bs are the long-term secret keys shared by Alice and the server, and Bob and the server, respectively, while K is the session key generated by the sever for Alice and Bob. In the first three steps, Alice gets the session key K from the server and forwards it to Bob. And the last two messages allow Bob to check whether Alice is currently using the same session key K. The NS protocol is vulnerable to a replay attack, identified by Denning and Sacco in 1981, in which an attacker Cindy can impersonate Alice to cheat Bob by using a compromised old session key K between Alice and Bob. Here is the attack: 3. C(A) B : E Kbs (K, A) 4. B (A)C : E K (N b ) (7) 5. C(A) B : E K (N b 1) The Denning-Sacco attack implies that in the viewpoint of Bob, the NS protocol does not provide key freshness. A key is called fresh, if it is guaranteed to be a newly generated key, from the view point of one party involved in the protocol. To provide key freshness for the NS protocol, the sever can insert a timestamp T into the key certificate for Bob, i.e., replacing E Kbs (K, A) by E Kbs (K, T, A). Remark 2: In fact, there are two NS protocols. The above discussed is the symmetric NS protocol, which has been extended to Kerberos, a system developed at MIT within the project Athena in the 1980s. The public key NS protocol is also interesting, especially due to an attack by Gavin Lowe after 17 years of publication of the NS protocol. This is also a good example showing that security protocols are notoriously error prone. 3.3 Password-based Protocols In the NS protocol, both parties are required to share long-term secrets with the server. If these parties are human beings, who need to access the server via some untrusted terminals from time to time, such as accessing on-line bank service, long secret keys are not easy to memorize. One naive approach is to let each party sharing a short password with the server, and set this password as the long-term key or derive the long-term key from the password. However, people tend to pick easily-guessable passwords, i.e., passwords are short strings with low entropy. Consequently, the above simple approach suffers the so called off-line dictionary attack. For example, if the K bs in the NS protocol is substituted by a password P bs shared by Bob and the server, even a passive attacker can deduce the session key K without too
6 6 The School of Computer Science, University of Birmingham much effort. The reason is that by eavesdropping message E Pbs (K, A), the attacker can try all possible passwords P to decrypt ciphertext E Pbs (K, A). Once the resulting plaintext contains the suffix A, the identity of Alice, P is likely the correct password P bs and the rest of plaintext is likely the session key. The following Encrypted Key Exchange (EKE) protocol, proposed by Bellovin and Merritt in 1992, avoids the above weakness. 1. A B : E P (P K) 2. B A : E P (Enc P K (K)) Output : K (Session key). Here, P is the password shared between Alice and Bob, while P K is an ephemeral public key generated by Alice so she also holds the corresponding private key. In the step 1, Alice sends this temporary public key P K to Bob encrypted under password P. Then, in step 2, Bob selects a session key K and forwards it to Alice by using double encryptions E P (Enc P K (K)). Namely, K is first encrypted under public key P K and then symmetrically encrypted under password P. Upon receiving E P (Enc P K (K)), Alice can then derive K by using the password P and the private key corresponding to P K. In the literature, there are a lot of password-based protocols, for example, referring to reference [1]. 3.4 Group Key Agreement Protocols In the above, only two-party key agreement protocols, perhaps involving an additional trusted third party, are discussed. Now, we introduce a group key agreement protocol, proposed Burmester and Desmedt [2], which enables a group of parties efficiently establishing a session key. Essentially, the Burmester-Desmedt (BD) protocol is an extension of the Diffie-Hellmann protocol. Using the same system parameters as in Section 2.1, the BD protocol for n parties (n > 2) can be briefly reviewed as follows. Step 1. Each party U i (i = 1, 2, ) selects a random number x i and broadcasts k i = g x i mod p. Step 2. Each party U i broadcasts K i = (k i+1 /k i 1 ) x i mod p, where the index are taken in a cycle. Step 3. Now, each party U i computes the session key K by K = k nx i i 1 Kn 1 i Ki+1 n 2 K i 2 mod p. (9) It is easy to know that if all parties follow the above protocol then all of them will obtain the same session key from Eq.(9), which is K = g x 1x 2 +x 2 x 3 + +x nx 1 mod p. (10) The Burmester-Desmedt protocol is secure against passive attacker under the assumption that the computational Diffie-Hellmann problem is intractable, i.e., the CDH assumption holds. 4 Summary In this handout, we briefly introduced the basic concepts and mechanisms for key agreement, which is a protocol or mechanism that allows two or multiple parties to agree on a shared secret (8)
7 Key Agreement: A Guest Lecture, 12 Nov key efficiently and securely. A number of well-know protocols were reviewed and discussed by pointing out their security features and weaknesses. In particular, we illustrated the man-inthe-middle-attack, replay attack, and off-line dictionary attack. References 1. Colin Boyd and Anish Mathuria. Protocols for Authentication and Key Establishment. Springer-Verlag, Mike Burmester and Yvo Desmedt. A Secure and Scalable Group Key Exchange System. Information Process Letter, 2005, 94(3): Original version appears in the proceedings of EUROCRYPT 94, LNCS 950, pp Whitfield Diffie and Martin E. Hellman. New Directions in Cryptography. IEEE Transaction on Information Theory, November 1976, 22(6): Dieter Gollmann. Computer Security, 2nd Edition, chapter 12: Authentication in Distributed System. John Wiley & Sons, Ltd, Alfred J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone. Handbook of Applied Cryptography, chapter 12: Key Establishment Protocols. CRC Press, Key-agreement Protocol. protocol.
Session key establishment protocols
our task is to program a computer which gives answers which are subtly and maliciously wrong at the most inconvenient possible moment. -- Ross Anderson and Roger Needham, Programming Satan s computer Session
More informationSession key establishment protocols
our task is to program a computer which gives answers which are subtly and maliciously wrong at the most inconvenient possible moment. -- Ross Anderson and Roger Needham, Programming Satan s computer Session
More informationCryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1
Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography CS555 Spring 2012/Topic 16 1 Outline and Readings Outline Private key management between two parties Key management
More informationProtocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh
Protocols II Computer Security Lecture 12 David Aspinall School of Informatics University of Edinburgh 17th February 2011 Outline Introduction Shared-key Authentication Asymmetric authentication protocols
More information1. Diffie-Hellman Key Exchange
e-pgpathshala Subject : Computer Science Paper: Cryptography and Network Security Module: Diffie-Hellman Key Exchange Module No: CS/CNS/26 Quadrant 1 e-text Cryptography and Network Security Objectives
More informationApplied Cryptography and Computer Security CSE 664 Spring 2017
Applied Cryptography and Computer Security Lecture 18: Key Distribution and Agreement Department of Computer Science and Engineering University at Buffalo 1 Key Distribution Mechanisms Secret-key encryption
More informationData Security and Privacy. Topic 14: Authentication and Key Establishment
Data Security and Privacy Topic 14: Authentication and Key Establishment 1 Announcements Mid-term Exam Tuesday March 6, during class 2 Need for Key Establishment Encrypt K (M) C = Encrypt K (M) M = Decrypt
More informationCristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.
CS355: Cryptography Lecture 17: X509. PGP. Authentication protocols. Key establishment. Public Keys and Trust Public Key:P A Secret key: S A Public Key:P B Secret key: S B How are public keys stored How
More informationSpring 2010: CS419 Computer Security
Spring 2010: CS419 Computer Security Vinod Ganapathy Lecture 7 Topic: Key exchange protocols Material: Class handout (lecture7_handout.pdf) Chapter 2 in Anderson's book. Today s agenda Key exchange basics
More informationAuthenticated Key Agreement without Subgroup Element Verification
Authenticated Key Agreement without Subgroup Element Verification Taekyoung Kwon Sejong University, Seoul 143-747, Korea E-mail: tkwon@sejong.ac.kr Abstract. In this paper, we rethink the security of authenticated
More informationCryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 38 A Tutorial on Network Protocols
More informationLecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena
Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall 2009 Nitesh Saxena *Adopted from a previous lecture by Gene Tsudik Course Admin HW3 Problem 3 due Friday midnight
More informationAuthentication Part IV NOTE: Part IV includes all of Part III!
Authentication Part IV NOTE: Part IV includes all of Part III! ECE 3894 Hardware-Oriented Security and Trust Spring 2018 Assoc. Prof. Vincent John Mooney III Georgia Institute of Technology NOTE: THE FOLLOWING
More informationL7: Key Distributions. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806
L7: Key Distributions Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806 9/16/2015 CSCI 451 - Fall 2015 1 Acknowledgement Many slides are from or are
More informationL13. Reviews. Rocky K. C. Chang, April 10, 2015
L13. Reviews Rocky K. C. Chang, April 10, 2015 1 Foci of this course Understand the 3 fundamental cryptographic functions and how they are used in network security. Understand the main elements in securing
More informationCryptographic Checksums
Cryptographic Checksums Mathematical function to generate a set of k bits from a set of n bits (where k n). k is smaller then n except in unusual circumstances Example: ASCII parity bit ASCII has 7 bits;
More informationGrenzen der Kryptographie
Microsoft Research Grenzen der Kryptographie Dieter Gollmann Microsoft Research 1 Summary Crypto does not solve security problems Crypto transforms security problems Typically, the new problems relate
More informationChapter 10 : Private-Key Management and the Public-Key Revolution
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 10 : Private-Key Management and the Public-Key Revolution 1 Chapter 10 Private-Key Management
More informationNetwork Security (NetSec)
Chair of Network Architectures and Services Department of Informatics Technical University of Munich Network Security (NetSec) IN2101 WS 16/17 Prof. Dr.-Ing. Georg Carle Dr. Heiko Niedermayer Cornelius
More informationT Cryptography and Data Security
T-79.4501 Cryptography and Data Security Lecture 10: 10.1 Random number generation 10.2 Key management - Distribution of symmetric keys - Management of public keys Stallings: Ch 7.4; 7.3; 10.1 1 The Use
More informationStation-to-Station Protocol
Station-to-Station Protocol U V b U = α a U b U b V,y V b V = α a V y V = sig V (U b V b U ) y U = sig U (V b U b V ) y U Lecture 13, Oct. 22, 2003 1 Security Properties of STS the scheme is secure against
More informationCategory: Informational March Methods for Avoiding the "Small-Subgroup" Attacks on the Diffie-Hellman Key Agreement Method for S/MIME
Network Working Group R. Zuccherato Request for Comments: 2785 Entrust Technologies Category: Informational March 2000 Methods for Avoiding the "Small-Subgroup" Attacks on the Diffie-Hellman Key Agreement
More informationMessage authentication
Message authentication -- Reminder on hash unctions -- MAC unctions hash based block cipher based -- Digital signatures (c) Levente Buttyán (buttyan@crysys.hu) Hash unctions a hash unction is a unction
More informationChapter 9: Key Management
Chapter 9: Key Management Session and Interchange Keys Key Exchange Cryptographic Key Infrastructure Storing and Revoking Keys Digital Signatures Slide #9-1 Overview Key exchange Session vs. interchange
More informationIssues. Separation of. Distributed system security. Security services. Security policies. Security mechanism
Module 9 - Security Issues Separation of Security policies Precise definition of which entities in the system can take what actions Security mechanism Means of enforcing that policy Distributed system
More informationCSC 482/582: Computer Security. Security Protocols
Security Protocols Topics 1. Basic Concepts of Cryptography 2. Security Protocols 3. Authentication Protocols 4. Key Exchange Protocols 5. Kerberos 6. Public Key Infrastructure Encryption and Decryption
More informationAuthentication in Distributed Systems
Authentication in Distributed Systems Introduction Crypto transforms (communications) security problems into key management problems. To use encryption, digital signatures, or MACs, the parties involved
More informationECEN 5022 Cryptography
Introduction University of Colorado Spring 2008 Historically, cryptography is the science and study of secret writing (Greek: kryptos = hidden, graphein = to write). Modern cryptography also includes such
More informationKey Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature
Key Management Digital signatures: classical and public key Classic and Public Key exchange 1 Handwritten Signature Used everyday in a letter, on a check, sign a contract A signature on a signed paper
More informationCSC 5930/9010 Modern Cryptography: Public Key Cryptography
CSC 5930/9010 Modern Cryptography: Public Key Cryptography Professor Henry Carter Fall 2018 Recap Number theory provides useful tools for manipulating integers and primes modulo a large value Abstract
More informationCIS 4360 Secure Computer Systems Applied Cryptography
CIS 4360 Secure Computer Systems Applied Cryptography Professor Qiang Zeng Spring 2017 Symmetric vs. Asymmetric Cryptography Symmetric cipher is much faster With asymmetric ciphers, you can post your Public
More informationInformation Security CS 526
Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication Topic 14: Secure Communication 1 Readings for This Lecture On Wikipedia Needham-Schroeder protocol (only the symmetric
More informationAuthentication Handshakes
AIT 682: Network and Systems Security Topic 6.2 Authentication Protocols Instructor: Dr. Kun Sun Authentication Handshakes Secure communication almost always includes an initial authentication handshake.
More informationElements of Security
Elements of Security Dr. Bill Young Department of Computer Sciences University of Texas at Austin Last updated: April 8, 2015 at 12:47 Slideset 7: 1 Car Talk Puzzler You have a friend in a police state
More informationKey Establishment. Chester Rebeiro IIT Madras. Stinson : Chapter 10
Key Establishment Chester Rebeiro IIT Madras CR Stinson : Chapter 10 Multi Party secure communication C D A B E F N parties want to communicate securely with each other (N=6 in this figure) If sends a
More informationPublic Key Cryptography
Public Key Cryptography Giuseppe F. Italiano Universita` di Roma Tor Vergata italiano@disp.uniroma2.it Motivation Until early 70s, cryptography was mostly owned by government and military Symmetric cryptography
More informationCryptanalysis of Two Password-Authenticated Key Exchange. Protocols between Clients with Different Passwords
International Mathematical Forum, 2, 2007, no. 11, 525-532 Cryptanalysis of Two Password-Authenticated Key Exchange Protocols between Clients with Different Passwords Tianjie Cao and Yongping Zhang School
More informationFall 2010/Lecture 32 1
CS 426 (Fall 2010) Key Distribution & Agreement Fall 2010/Lecture 32 1 Outline Key agreement without t using public keys Distribution of public keys, with public key certificates Diffie-Hellman Protocol
More informationKey Establishment and Authentication Protocols EECE 412
Key Establishment and Authentication Protocols EECE 412 1 where we are Protection Authorization Accountability Availability Access Control Data Protection Audit Non- Repudiation Authentication Cryptography
More informationKey Agreement Schemes
Key Agreement Schemes CSG 252 Lecture 9 November 25, 2008 Riccardo Pucella Key Establishment Problem PK cryptosystems have advantages over SK cryptosystems PKCs do not need a secure channel to establish
More informationCSC 474/574 Information Systems Security
CSC 474/574 Information Systems Security Topic 3.3: Security Handshake Pitfalls CSC 474/574 Dr. Peng Ning 1 Authentication Handshakes Secure communication almost always includes an initial authentication
More informationEncryption. INST 346, Section 0201 April 3, 2018
Encryption INST 346, Section 0201 April 3, 2018 Goals for Today Symmetric Key Encryption Public Key Encryption Certificate Authorities Secure Sockets Layer Simple encryption scheme substitution cipher:
More informationThis chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest
1 2 3 This chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest PKCS, Diffie- Hellman key exchange. This first published
More informationSecurity Analysis of Shim s Authenticated Key Agreement Protocols from Pairings
Security Analysis of Shim s Authenticated Key Agreement Protocols from Pairings Hung-Min Sun and Bin-san Hsieh Department of Computer Science, National sing Hua University, Hsinchu, aiwan, R.O.C. hmsun@cs.nthu.edu.tw
More informationModule: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security
CMPSC443 - Introduction to Computer and Network Security Module: Cryptographic Protocols Professor Patrick McDaniel Spring 2009 1 Key Distribution/Agreement Key Distribution is the process where we assign
More informationCryptographic Protocols 1
Cryptographic Protocols 1 Luke Anderson luke@lukeanderson.com.au 5 th May 2017 University Of Sydney Overview 1. Crypto-Bulletin 2. Problem with Diffie-Hellman 2.1 Session Hijacking 2.2 Encrypted Key Exchange
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 4, 2017 CPSC 467, Lecture 11 1/39 ElGamal Cryptosystem Message Integrity and Authenticity Message authentication codes
More informationPassword-based authentication and key distribution protocols with perfect forward secrecy
Journal of Computer and System Sciences 72 (2006) 1002 1011 www.elsevier.com/locate/jcss Password-based authentication and key distribution protocols with perfect forward secrecy Hung-Min Sun a,, Her-Tyan
More informationLecture 2 Applied Cryptography (Part 2)
Lecture 2 Applied Cryptography (Part 2) Patrick P. C. Lee Tsinghua Summer Course 2010 2-1 Roadmap Number theory Public key cryptography RSA Diffie-Hellman DSA Certificates Tsinghua Summer Course 2010 2-2
More information1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class
1.264 Lecture 27 Security protocols Symmetric cryptography Next class: Anderson chapter 10. Exercise due after class 1 Exercise: hotel keys What is the protocol? What attacks are possible? Copy Cut and
More informationECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos
ECE596C: Handout #9 Authentication Using Shared Secrets Electrical and Computer Engineering, University of Arizona, Loukas Lazos Abstract. In this lecture we introduce the concept of authentication and
More informationOutline More Security Protocols CS 239 Computer Security February 6, 2006
Outline More Security Protocols CS 239 Computer Security February 6, 2006 Combining key distribution and authentication Verifying security protocols Page 1 Page 2 Combined Key Distribution and Authentication
More informationTopics. Dramatis Personae Cathy, the Computer, trusted 3 rd party. Cryptographic Protocols
Cryptographic Protocols Topics 1. Dramatis Personae and Notation 2. Session and Interchange Keys 3. Key Exchange 4. Key Generation 5. Cryptographic Key Infrastructure 6. Storing and Revoking Keys 7. Digital
More informationChapter 9 Public Key Cryptography. WANG YANG
Chapter 9 Public Key Cryptography WANG YANG wyang@njnet.edu.cn Content Introduction RSA Diffie-Hellman Key Exchange Introduction Public Key Cryptography plaintext encryption ciphertext decryption plaintext
More informationCS 6324: Information Security More Info on Key Establishment: RSA, DH & QKD
ERIK JONSSON SCHOOL OF ENGINEERING & COMPUTER SCIENCE Cyber Security Research and Education Institute CS 6324: Information Security Dr. Junia Valente Department of Computer Science The University of Texas
More informationCS 161 Computer Security
Paxson Spring 2011 CS 161 Computer Security Discussion 9 March 30, 2011 Question 1 Another Use for Hash Functions (8 min) The traditional Unix system for password authentication works more or less like
More informationA Limitation of BAN Logic Analysis on a Man-in-the-middle Attack
ISS 1746-7659, England, U Journal of Information and Computing Science Vol. 1, o. 3, 2006, pp. 131-138 Limitation of Logic nalysis on a Man-in-the-middle ttack + Shiping Yang, Xiang Li Computer Software
More informationExercises with solutions, Set 3
Exercises with solutions, Set 3 EDA625 Security, 2017 Dept. of Electrical and Information Technology, Lund University, Sweden Instructions These exercises are for self-assessment so you can check your
More informationOutline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA
CSCI 454/554 Computer and Network Security Topic 5.2 Public Key Cryptography 1. Introduction 2. RSA Outline 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard 2 Introduction Public Key Cryptography
More informationCSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L
CS 3461/5461: Introduction to Computer Networking and Internet Technologies Network Security Study: 21.1 21.5 Kannan Srinivasan 11-27-2012 Security Attacks, Services and Mechanisms Security Attack: Any
More informationCS Protocols. Prof. Clarkson Spring 2016
CS 5430 Protocols Prof. Clarkson Spring 2016 Review: Secure channel When we last left off, we were building a secure channel The channel does not reveal anything about messages except for their timing
More informationAuth. Key Exchange. Dan Boneh
Auth. Key Exchange Review: key exchange Alice and want to generate a secret key Saw key exchange secure against eavesdropping Alice k eavesdropper?? k This lecture: Authenticated Key Exchange (AKE) key
More informationCSC/ECE 774 Advanced Network Security
Computer Science CSC/ECE 774 Advanced Network Security Topic 2. Network Security Primitives CSC/ECE 774 Dr. Peng Ning 1 Outline Absolute basics Encryption/Decryption; Digital signatures; D-H key exchange;
More informationComputer Security 3e. Dieter Gollmann. Chapter 15: 1
Computer Security 3e Dieter Gollmann www.wiley.com/college/gollmann Chapter 15: 1 Chapter 15: Key Establishment Chapter 15: 2 Introduction Crypto transforms (communications) security problems into key
More informationWhat did we talk about last time? Public key cryptography A little number theory
Week 4 - Friday What did we talk about last time? Public key cryptography A little number theory If p is prime and a is a positive integer not divisible by p, then: a p 1 1 (mod p) Assume a is positive
More informationSecurity protocols and their verification. Mark Ryan University of Birmingham
Security protocols and their verification Mark Ryan University of Birmingham Contents 1. Authentication protocols (this lecture) 2. Electronic voting protocols 3. Fair exchange protocols 4. Digital cash
More informationComputer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08r. Pre-exam 2 Last-minute Review Cryptography Paul Krzyzanowski Rutgers University Spring 2018 March 26, 2018 CS 419 2018 Paul Krzyzanowski 1 Cryptographic Systems March 26, 2018 CS
More informationCSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography
CSCI 454/554 Computer and Network Security Topic 5.2 Public Key Cryptography Outline 1. Introduction 2. RSA 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard 2 Introduction Public Key Cryptography
More informationBAN Logic. Logic of Authentication 1. BAN Logic. Source. The language of BAN. The language of BAN. Protocol 1 (Needham-Schroeder Shared-Key) [NS78]
Logic of Authentication 1. BAN Logic Ravi Sandhu BAN Logic BAN is a logic of belief. In an analysis, the protocol is first idealized into messages containing assertions, then assumptions are stated, and
More informationSecurity Handshake Pitfalls
Hello Challenge R f(k, R f(k, R Problems: 1. Authentication is not mutual only authenticates Anyone can send the challenge R. f(k, R Problems: 1. Authentication is not mutual only authenticates Anyone
More information0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken
0/41 Alice Who? Authentication Protocols Andreas Zeller/Stephan Neuhaus Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken The Menu 1/41 Simple Authentication Protocols The Menu 1/41 Simple
More informationLecture 6.2: Protocols - Authentication and Key Exchange II. CS 436/636/736 Spring Nitesh Saxena. Course Admin
Lecture 6.2: Protocols - Authentication and Key II CS 436/636/736 Spring 2012 Nitesh Saxena Mid-Term Grading Course Admin Will be done over the break Scores will be posted online and graded exams distribute
More informationSecurity properties of two authenticated conference key agreement protocols
Security properties of two authenticated conference key agreement protocols Qiang Tang and Chris J. Mitchell Information Security Group Royal Holloway, University of London Egham, Surrey TW20 0EX, UK {qiang.tang,
More informationCSE 127: Computer Security Cryptography. Kirill Levchenko
CSE 127: Computer Security Cryptography Kirill Levchenko October 24, 2017 Motivation Two parties want to communicate securely Secrecy: No one else can read messages Integrity: messages cannot be modified
More informationCryptography and Network Security
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown Chapter 10 Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would
More informationCS 161 Computer Security
Popa & Wagner Spring 2016 CS 161 Computer Security Discussion 5 Week of February 19, 2017 Question 1 Diffie Hellman key exchange (15 min) Recall that in a Diffie-Hellman key exchange, there are values
More informationLecture 1: Course Introduction
Lecture 1: Course Introduction Thomas Johansson T. Johansson (Lund University) 1 / 37 Chapter 9: Symmetric Key Distribution To understand the problems associated with managing and distributing secret keys.
More informationOutline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)
Outline AIT 682: Network and Systems Security 1. Introduction 2. RSA 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard Topic 5.2 Public Key Cryptography Instructor: Dr. Kun Sun 2 Public Key
More informationSecurity Handshake Pitfalls
Security Handshake Pitfalls 1 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: Authenticate each other Establish sessions keys This process may
More informationKey Management and Distribution
CPE 542: CRYPTOGRAPHY & NETWORK SECURITY Chapter 10 Key Management; Other Public Key Cryptosystems Dr. Lo ai Tawalbeh Computer Engineering Department Jordan University of Science and Technology Jordan
More informationPublic-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7
Public-Key Cryptography Professor Yanmin Gong Week 3: Sep. 7 Outline Key exchange and Diffie-Hellman protocol Mathematical backgrounds for modular arithmetic RSA Digital Signatures Key management Problem:
More informationSymmetric Encryption
Symmetric Encryption Ahmed Y. Banihammd & Ihsan, ALTUNDAG Mon November 5, 2007 Advanced Cryptography 1st Semester 2007-2008 University Joseph Fourrier, Verimag Master Of Information Security And Coding
More informationOutline. More Security Protocols CS 239 Security for System Software April 22, Needham-Schroeder Key Exchange
Outline More Security Protocols CS 239 Security for System Software April 22, 2002 Combining key distribution and authentication Verifying security protocols Page 1 Page 2 Combined Key Distribution and
More informationCS Protocol Design. Prof. Clarkson Spring 2017
CS 5430 Protocol Design Prof. Clarkson Spring 2017 Review Cryptography: Encryption, block ciphers, block cipher modes, MACs, cryptographic hash functions, digital signatures, authenticated encryption,
More informationCrypto-systems all around us ATM machines Remote logins using SSH Web browsers (https invokes Secure Socket Layer (SSL))
Introduction (Mihir Bellare Text/Notes: http://cseweb.ucsd.edu/users/mihir/cse207/) Cryptography provides: Data Privacy Data Integrity and Authenticity Crypto-systems all around us ATM machines Remote
More informationLecture 9a: Secure Sockets Layer (SSL) March, 2004
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York University artg@cs.nyu.edu Security Achieved by
More information2.1 Basic Cryptography Concepts
ENEE739B Fall 2005 Part 2 Secure Media Communications 2.1 Basic Cryptography Concepts Min Wu Electrical and Computer Engineering University of Maryland, College Park Outline: Basic Security/Crypto Concepts
More informationDigital Signatures. KG November 3, Introduction 1. 2 Digital Signatures 2
Digital Signatures KG November 3, 2017 Contents 1 Introduction 1 2 Digital Signatures 2 3 Hash Functions 3 3.1 Attacks.................................... 4 3.2 Compression Functions............................
More information22-security.txt Tue Nov 27 09:13: Notes on Security Protocols , Fall 2012 Carnegie Mellon University Randal E.
22-security.txt Tue Nov 27 09:13:37 2012 1 Notes on Security Protocols 15-440, Fall 2012 Carnegie Mellon University Randal E. Bryant References: Tannenbaum: 9.1, 9.2 (skip 9.2.3), 9.4.1 BASICS Desired
More information(In)security of ecient tree-based group key agreement using bilinear map
Loughborough University Institutional Repository (In)security of ecient tree-based group key agreement using bilinear map This item was submitted to Loughborough University's Institutional Repository by
More information18733: Applied Cryptography Anupam Datta (CMU) Basic key exchange. Dan Boneh
18733: Applied Cryptography Anupam Datta (CMU) Basic key exchange Online Cryptography Course Basic key exchange Trusted 3 rd parties Key management Problem: n users. Storing mutual secret keys is difficult
More informationKey Exchange. References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings
Key Exchange References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings Outlines Primitives Root Discrete Logarithm Diffie-Hellman ElGamal Shamir s Three Pass
More informationCS Computer Networks 1: Authentication
CS 3251- Computer Networks 1: Authentication Professor Patrick Traynor 4/14/11 Lecture 25 Announcements Homework 3 is due next class. Submit via T-Square or in person. Project 3 has been graded. Scores
More informationVerification of Security Protocols
Verification of Security Protocols Chapter 12: The JFK Protocol and an Analysis in Applied Pi Christian Haack June 16, 2008 Exam When? Monday, 30/06, 14:00. Where? TUE, Matrix 1.44. Scheduled for 3 hours,
More informationChapter 3. Principles of Public-Key Cryptosystems
Chapter 3 Principles of Public-Key Cryptosystems The concept of public-key cryptography evolved from an attempt to attack two of the most difficult problems associated with symmetric encryption. key distribution
More informationKEY AGREEMENT PROTOCOLS. CIS 400/628 Spring 2005 Introduction to Cryptography. This is based on Chapter 13 of Trappe and Washington
KEY AGREEMENT PROTOCOLS CIS 400/628 Spring 2005 Introduction to Cryptography This is based on Chapter 13 of Trappe and Washington DIFFIE-HELLMAN KEY EXCHANGE Alice & want to exchange a ton of data using
More informationRobust EC-PAKA Protocol for Wireless Mobile Networks
International Journal of Mathematical Analysis Vol. 8, 2014, no. 51, 2531-2537 HIKARI Ltd, www.m-hikari.com http://dx.doi.org/10.12988/ijma.2014.410298 Robust EC-PAKA Protocol for Wireless Mobile Networks
More informationPublic Key Algorithms
CSE597B: Special Topics in Network and Systems Security Public Key Cryptography Instructor: Sencun Zhu The Pennsylvania State University Public Key Algorithms Public key algorithms RSA: encryption and
More informationCIS 6930/4930 Computer and Network Security. Topic 6.2 Authentication Protocols
CIS 6930/4930 Computer and Network Security Topic 6.2 Authentication Protocols 1 Authentication Handshakes Secure communication almost always includes an initial authentication handshake. Authenticate
More information1 Identification protocols
ISA 562: Information Security, Theory and Practice Lecture 4 1 Identification protocols Now that we know how to authenticate messages using MACs, a natural question is, how can we use MACs to prove that
More information