Grenzen der Kryptographie

Similar documents
Session key establishment protocols

Session key establishment protocols

Module: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

Spring 2010: CS419 Computer Security

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

CSE 127: Computer Security Cryptography. Kirill Levchenko

CPSC 467: Cryptography and Computer Security

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Chapter 9: Key Management

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

Public Key Algorithms

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

PROTECTING CONVERSATIONS

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Cryptography Introduction

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

APNIC elearning: Cryptography Basics

Applied Cryptography and Computer Security CSE 664 Spring 2017

CIS 4360 Secure Computer Systems Applied Cryptography

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Encryption. INST 346, Section 0201 April 3, 2018

2.1 Basic Cryptography Concepts

Lecture 6 - Cryptography

Public Key Algorithms

Chapter 8. Network Security. Cryptography. Need for Security. An Introduction to Cryptography 10/7/2010

Elements of Security

Key Exchange. References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings

Cryptography and Network Security. Sixth Edition by William Stallings

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Diffie-Hellman. Part 1 Cryptography 136

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Chapter 9 Public Key Cryptography. WANG YANG

Cryptographic Concepts

Cryptography III. Public-Key Cryptography Digital Signatures. 2/1/18 Cryptography III

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

L7: Key Distributions. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

Key Agreement. Guilin Wang. School of Computer Science, University of Birmingham

KALASALINGAM UNIVERSITY

Modelling and Analysing of Security Protocol: Lecture 1. Introductions to Modelling Protocols. Tom Chothia CWI

Security protocols and their verification. Mark Ryan University of Birmingham

18733: Applied Cryptography Anupam Datta (CMU) Basic key exchange. Dan Boneh

Computer Networking. What is network security? Chapter 7: Network security. Symmetric key cryptography. The language of cryptography

Cryptographic Checksums

Computer Security 3e. Dieter Gollmann. Chapter 15: 1

Topics. Dramatis Personae Cathy, the Computer, trusted 3 rd party. Cryptographic Protocols

Encryption 2. Tom Chothia Computer Security: Lecture 3

(2½ hours) Total Marks: 75

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

CSC 774 Network Security

Public-key Cryptography: Theory and Practice

From Coulouris, Dollimore and Kindberg Distributed Systems: Concepts and Design. Edition 4 Pearson Education 2005

Public Key Cryptography

What did we talk about last time? Public key cryptography A little number theory

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Verification of security protocols introduction

Network Security. Chapter 8. MYcsvtu Notes.

Cryptographic Protocols 1

Modern cryptography 2. CSCI 470: Web Science Keith Vertanen

Computer Security: Principles and Practice

Verteilte Systeme (Distributed Systems)

CS 6324: Information Security More Info on Key Establishment: RSA, DH & QKD

Authentication in Distributed Systems

Information Security: Principles and Practice Second Edition. Mark Stamp

1. Diffie-Hellman Key Exchange

Cryptographic Systems

Cryptography and Network Security Chapter 13. Digital Signatures & Authentication Protocols

Authentication Handshakes

Garantía y Seguridad en Sistemas y Redes

T Cryptography and Data Security

CSC 482/582: Computer Security. Security Protocols

More on Cryptography CS 136 Computer Security Peter Reiher January 19, 2017

Security issues: Encryption algorithms. Threats Methods of attack. Secret-key Public-key Hybrid protocols. CS550: Distributed OS.

Chapter 8. Network Security. Need for Security. An Introduction to Cryptography. Transposition Ciphers One-Time Pads

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to talk so much?!? Content taken from the following:

CSC 474/574 Information Systems Security

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

INFSCI 2935: Introduction of Computer Security 1. Courtesy of Professors Chris Clifton & Matt Bishop. INFSCI 2935: Introduction to Computer Security 2

Information Security CS 526

Cryptography Lecture 9 Key distribution and trust, Elliptic curve cryptography

Other Uses of Cryptography. Cryptography Goals. Basic Problem and Terminology. Other Uses of Cryptography. What Can Go Wrong? Why Do We Need a Key?

CS 161 Computer Security

CSC 474/574 Information Systems Security

Key Establishment. Chester Rebeiro IIT Madras. Stinson : Chapter 10

Crypto meets Web Security: Certificates and SSL/TLS

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

CSC 5930/9010 Modern Cryptography: Public Key Cryptography

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 6 Introduction to Public-Key Cryptography

Cryptography and Network Security

Chapter 10: Key Management

Contents Digital Signatures Digital Signature Properties Direct Digital Signatures

CSC/ECE 774 Advanced Network Security

Cryptography and Network Security Chapter 10. Fourth Edition by William Stallings

This chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest

Key Management and Distribution

WAP Security. Helsinki University of Technology S Security of Communication Protocols

Transcription:

Microsoft Research Grenzen der Kryptographie Dieter Gollmann Microsoft Research 1

Summary Crypto does not solve security problems Crypto transforms security problems Typically, the new problems relate to key management and the protection of keys In these areas, reasonable solutions exist for closed systems but hardly for open & public systems 2

Agenda A brief history of cryptography A long look at public key cryptography Security protocols and their verification Open and closed environments Conclusions 3

The origins of cryptography Alice The enemy is an outsider listening to traffic Two secure end systems communicate over an insecure channel Bob 4

Symmetric key encryption A B encrypt decrypt plaintext ciphertext plaintext 5

Symmetric Key Cryptography Encryption protects documents on the way from A to B A and B need to share a key A procedure is required for A and B to obtain their shared key For n parties to communicate directly, about n 2 keys are needed Security services: confidentiality, integrity, authentication (data origin authentication, key exchange peer entity authentication) 6

Symmetric Key Cryptography Algorithms: DES, AES (Rijndael), No provable security Algorithms designed to resist known attacks: e.g. differential & linear cryptanalysis Recommended key length: 80-90 bits DES: 56-bit keys vulnerable to brute-force search DES designed to resist differential cryptanalysis 7

Key exchange: authentication Needham-Schroeder protocol: key transport protocol using a symmetric cipher for encryption: A and B obtain a session key K ab from server S (Trusted Third Party) A [B] shares a secret key K as [K bs ] with S Nonces (random challenges) n A and n B in messages prevent replay attacks 8

Needham-Schroeder protocol S (basis for Kerberos) 1. A,B,n A 2. ek as (n A,B,K ab,ek bs (K ab,a)) 3. ek bs (K ab,a) A 4. ek ab (n B ) 5. ek ab (n B -1) B 9

History: Non-secret Encryption Fact : to exchange secret messages shared secrets are required Counterexample (Bell Labs, 1944): receiver adds noise on a telephone line sender sends the message attacker only hears noise receiver gets message by cancelling own noise J.H.Ellis (CESG): described a scheme for nonsecret (public key) encryption in 1970 10

Encryption with public keys A B plaintext encrypt ciphertext decrypt plaintext 11

Public Key Cryptography Encryption protects documents on the way from A to B B has a public encryption key and a private decryption key A procedure is required for A to get an authentic copy of B s public key (need not be easier than getting a shared secret key) For n parties to communicate, n key pairs are needed 12

Digital signatures document A sign document + signature B verify accept reject 13

Digital Signatures Protect authenticity of documents signed by A, more precisely, a cryptographic mechanism for associating documents with verification keys A has a public verification key and a private signature key A procedure is required for B to get an authentic copy of A s public key Provide authentication; on their own they do not provide non-repudiation at the level of persons Electronic signatures: a security service for associating documents with persons 14

Key exchange without secrets Alice puts key in box and attaches a lock e.g. the Diffie-Hellman protocol Alice removes her lock and returns the box Bob adds his lock and returns the box Bob removes his lock and opens the box 15

Public Key Cryptography Algorithms: RSA, ElGamal (encryption), RSA, DSA, (digital signatures), Diffie-Hellman (key agreement), elliptic curve algorithms Provable security: reduction proofs to open problems: factoring, discrete logarithm (DLP) Note: RSA factoring, DSA DLP, DH DLP Provable security for protocols: reduction proofs to breaking the crypto algorithms (Bellare-Rogaway) Services: confidentiality, integrity, authentication, non-repudiation (at the level of keys) 16

Key Sizes RSA DES 2K 3DES 3K 3DES AES 128 AES 192 AES 256 2001 620 1723 2426 3224 7918 15387 2010 747 1955 2709 3560 8493 16246 2020 906 2233 3046 3956 9160 17235 2030 1084 2534 3408 4379 9860 18260 Arjen Lenstra: Unbelievable Security, Asiacrypt 2001 17

Key Sizes 2010 DES 2K 3DES 3K 3DES AES 128 AES 192 AES 256 RSA 750 2000 2700 3600 8500 16000 LUC 860 2100 2900 3800 8900 17000 XTR 490 1200 1600 2000 4600 8600 ECC 510 860 1000 1200 1700 2300 Arjen Lenstra: Unbelievable Security, Asiacrypt 2001 18

Digital Signature Misconceptions Verification is decryption with the public key (as stated in X.509): Even untrue for RSA signatures ( existential forgeries), does not hold for DSA; the output of decrypt is of type message, the output of verify is of type Boolean, A signature binds the signer A to the document: verification links document and verification key Digital signatures are legally binding: even if recognized by law, digital signatures do not guarantee that there is a court with jurisdiction 19

Digital Signatures revisited Authentication: Signatures are mathematical evidence linking a document to a public key The link between a public key and a person has to be established by procedural means This link can be recorded in a certificate (but certificates are not necessary for verifying digital signatures, verification keys are) The holder of a private signature key has to protect the key from compromise and to be sure that the key is only used as intended 20

Electronic signatures public verification key digital signature mathematics mathematics procedures certificate document signing device secure O/S physical security procedures private signature key name person key container 21

Verifying security protocols Security services are typically provided by cryptographic protocols The design of security protocols is supposedly difficult and error prone There exists a substantial body of work on protocol analysis Can one trust the results of protocol analysis? We will use the Needham-Schroeder public key protocol as a case study 22

NS public key protocol (1978) 1. ep B (n A,A) A 2. ep A (n B,n A ) 3. ep B (n B ) B Only B can decrypt the first message and form a reply containing the challenge n A Only A can decrypt the second message and form a reply containing the challenge n B 23

Fact sheet Defined in the 1970s: principals are honest Authentication: verifying the identity of the communicating principals to one another Communications with servers can be done without establishing a connection Establish a shared session key from n A, n B Formal analysis in the BAN logic (1990): e.g. A believes B believes n B is a secret shared by A and B 24

A second formal analysis (1995) Conducted by Gavin Lowe using CSP CSP processes communicate on channels Goals and assumptions: Attacker can be a regular protocol participant Initiator commits to a run with B when receiving a reply ep A (n B,n A ) containing the challenge n A Responder commits to a run with A only if the message ep B (n A,A) came from A Why should the origin of challenges be verified? 25

Lowe s man-in-the-middle attack: connection-oriented (1995) ep E (n A,A) ep B (n A,A) ep A (n B,n A ) ep A (n B,n A ) A E B ep E (n B ) ep B (n B ) Proof: Initiator A authenticates responder E Attack: Responder B can be tricked by a masquerading initiator 26

Why is there proof and attack? Assumptions about the environment differ: E is a protocol participant but E is not honest Authentication goals differ: correspondence properties as used by Lowe became popular in the early 1990s, but were only intended to capture the authentication of protocol runs Correspondence authentication of connections A sees a run with E and is connected to E B sees a run with A but is connected to E 27

A triangle attack (connectionless) A ep E (n A,A) E ep B (n A,A) ep E (n B ) ep B (n B ) ep A (n B,n A ) B The initiator cannot be misled. Why? E is not responding B has been tricked. Why? A was involved in the protocol run 28

Comments The proof is no longer correct because we have an attack where the responder does not run the protocol The attack is no longer an attack because the initiator is involved in the protocol run Still, the attack violates properties claimed for the protocol: A is cheated because n A and n B are not secrets shared with E 29

Closed systems & open systems There is an important difference between closed systems where parties look for protection from the outside (the old world cryptography came from) and open systems where parties look for protection from insiders (the new world of e-commerce) 30

Key exchange with a stranger Alice puts key in box and attaches a lock Alice removes her lock and returns the box someone adds a lock and returns the box someone removes the lock and opens the box 31

Conclusions Cryptography has its origins in communications security Not all security problems can be expressed as communications security problems Communications security tends to assume that end systems are secure and users are honest In today s world, we have to secure applications where end systems are not secure and users are not necessarily honest 32

Conclusions Crypto algorithms are not provably secure Lars Knudsen: If it s provably secure, it probably isn t Crypto algorithms are practically very secure unless you insist on inventing your own algorithms Crypto gives no more security than the keys used key management is a frequent source of problems Robert Morris sr.: The Enigma never was broken Crypto gives no more security than the end system it is running on designing secure end systems is the really difficult security challenge 33

Conclusions Crypto relies on tamper-resistant devices and on alternative channels (trust) Tamper resistant devices + symmetric key crypto: CHAPS (see Davis & Price: Security for Computer Networks, 1984+89) Alternative channels for bootstrapping and for confirmation messages: GSM, book, newspaper Crypto depends on good security management End users are their own security managers How to get full control over your PC 34

Brave New World bank government Can all these parties manage their own security? merchant customer 35

Security & Security Services There exist security services that do not provide any security at all Roger Schell, Novell, ex-usaf SSL gives no security guarantees that are relevant for e-commerce. Dr Richard Walton, Director of CESG Digital certificates provide no actual security for electronic commerce; it's a complete sham. Bruce Schneier: Secrets & Lies 36

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback