Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Similar documents
Chapter 9: Key Management

Overview. Cryptographic key infrastructure Certificates. May 13, 2004 ECS 235 Slide #1. Notation

Cryptographic Checksums

Chapter 10: Key Management

Spring 2010: CS419 Computer Security

Topics. Dramatis Personae Cathy, the Computer, trusted 3 rd party. Cryptographic Protocols

L7: Key Distributions. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

CSC 482/582: Computer Security. Security Protocols

INFSCI 2935: Introduction of Computer Security 1. Courtesy of Professors Chris Clifton & Matt Bishop. INFSCI 2935: Introduction to Computer Security 2

Information Security & Privacy

Key Management CS461/ECE422

Key Escrow. Desirable Properties

Fun with Crypto keys and protocols. some Bishop, some Jim, some RA

What did we talk about last time? Public key cryptography A little number theory

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Elements of Security

Session key establishment protocols

Session key establishment protocols

T Cryptography and Data Security

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

Cryptographic Protocols 1

Cryptography and Network Security Chapter 14

L8: Public Key Infrastructure. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

CSC/ECE 774 Advanced Network Security

Cryptography III. Public-Key Cryptography Digital Signatures. 2/1/18 Cryptography III

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

Grenzen der Kryptographie

Cryptography and Network Security Chapter 13. Digital Signatures & Authentication Protocols

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

Lecture 2 Applied Cryptography (Part 2)

Network Security CHAPTER 31. Solutions to Review Questions and Exercises. Review Questions

Cryptography V: Digital Signatures

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

Kurose & Ross, Chapters (5 th ed.)

CS 161 Computer Security

CSC 474/574 Information Systems Security

UNIT - IV Cryptographic Hash Function 31.1

Digital Signatures. Luke Anderson. 7 th April University Of Sydney.

CPSC 467: Cryptography and Computer Security

Contents Digital Signatures Digital Signature Properties Direct Digital Signatures

Background. Network Security - Certificates, Keys and Signatures - Digital Signatures. Digital Signatures. Dr. John Keeney 3BA33

CSC 774 Network Security

Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena

Public Key Algorithms

ח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms

CS3235 Seventh set of lecture slides

Chapter 9 Public Key Cryptography. WANG YANG

Key Establishment and Authentication Protocols EECE 412

Other Uses of Cryptography. Cryptography Goals. Basic Problem and Terminology. Other Uses of Cryptography. What Can Go Wrong? Why Do We Need a Key?

CS 161 Computer Security

Cryptography V: Digital Signatures

Cryptographic Concepts

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

egov & PKI By: Alaa Eldin Mahmoud Aly YOUR LOGO

Diffie-Hellman. Part 1 Cryptography 136

Network Security. Chapter 8. MYcsvtu Notes.

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Cryptography MIS

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Outline More Security Protocols CS 239 Computer Security February 6, 2006

ISA 662 Internet Security Protocols. Outline. Prime Numbers (I) Beauty of Mathematics. Division (II) Division (I)

Authentication Handshakes

Introduction to SSL. Copyright 2005 by Sericon Technology Inc.

NETWORK SECURITY & CRYPTOGRAPHY

CS 161 Computer Security

Public-key Cryptography: Theory and Practice

Security Handshake Pitfalls

Outline More Security Protocols CS 239 Computer Security February 4, 2004

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

PROTECTING CONVERSATIONS

CS Protocol Design. Prof. Clarkson Spring 2017

Module: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

CSC 474/574 Information Systems Security

T Cryptography and Data Security

Protecting Information Assets - Week 11 - Cryptography, Public Key Encryption and Digital Signatures. MIS 5206 Protecting Information Assets

1 Identification protocols

Security: Focus of Control

The most important development from the work on public-key cryptography is the digital signature. Message authentication protects two parties who

Encryption. INST 346, Section 0201 April 3, 2018

Cryptography and Network Security Chapter 13. Fourth Edition by William Stallings. Lecture slides by Lawrie Brown

Outline Key Management CS 239 Computer Security February 9, 2004

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Applied Cryptography Protocol Building Blocks

S. Erfani, ECE Dept., University of Windsor Network Security

Principles of Information Security, Fourth Edition. Chapter 8 Cryptography

Authentication in Distributed Systems

Network Security Chapter 8

CT30A8800 Secured communications

Formal Methods for Assuring Security of Computer Networks

PKI Services. Text PKI Definition. PKI Definition #1. Public Key Infrastructure. What Does A PKI Do? Public Key Infrastructures

Security. Communication security. System Security

CS 161 Computer Security

Outline. More Security Protocols CS 239 Security for System Software April 22, Needham-Schroeder Key Exchange

ECEN 5022 Cryptography

Real-time protocol. Chapter 16: Real-Time Communication Security

Modern cryptography 2. CSCI 470: Web Science Keith Vertanen

Transcription:

Key Management Digital signatures: classical and public key Classic and Public Key exchange 1 Handwritten Signature Used everyday in a letter, on a check, sign a contract A signature on a signed paper document specifies the person responsible for that document Signature becomes physically a part of the document Signature can be verified by comparing it to known authentic signatures (e.g., signature on a check, credit card) A copy of a signed paper document can usually be distinguished from the original 2 Page 1

Digital Signatures A digital signature scheme is a method of signing a message stored in electronic form A digital signature is not attached physically to the message, so the scheme must somehow bind the signature to the message A digital signature can be verified by a publicly known verification algorithm (so anyone can verify a digital signature) A copy of a signed message cannot be distinguished from the original (so we must add some information such as a date to ensure that the signed message cannot be reused) 3 Digital Signature Construct that authenticated origin and/or contents of message in a manner provable to a disinterested third party ( judge ) Sender cannot deny having sent message (service is nonrepudiation ) Limited to technical proofs Inability to deny one s cryptographic key was used to sign One could claim the cryptographic key was stolen or compromised Legal proofs, etc., probably required; not dealt with here 4 Page 2

Digital Signature Scheme Consists of two components A signing algorithm Given a message, produces a signature A verification algorithm Given a pair (m, s), returns true if s is the signature of the message m; false otherwise 5 Common Error Classical:, share key k sends m { m } k to This is a digital signature WRONG This is not a digital signature Why? Third party cannot determine whether or generated message 6 Page 3

Classical Digital Signatures Require trusted third party, each share keys with trusted party Cathy To resolve dispute, judge gets { m } k, { m } k, and has Cathy decipher them; if messages matched, contract was signed Cathy Cathy { m }k { m }k { m }k 7 Public Key Digital Signatures s keys are d, e sends m { m } d In case of dispute, judge computes { { m } d } e and if it is m, signed message She is the only one who knows d! 8 Page 4

Digital Signatures in RSA RSA has an important property, not shared by other public key systems: encryption and decryption are commutative Encryption followed by decryption yields the original message (M e mod n) d mod n = M Decryption followed by encryption yields the original message (M d mod n) e mod n = M 9 RSA Digital Signatures Use private key to encipher message Protocol for use is critical Key points: Never sign random documents, and when signing, always sign hash and never document Mathematical properties can be turned against signer Sign message first, then encipher Changing public keys causes forgery 10 Page 5

Attack #1 Example:, communicating n A = 95, e A = 59, d A = 11 n B = 77, e B = 53, d B = 17 26 contracts, numbered 00 to 25 has sign 05 and 17: c = m db mod n B = 05 17 mod 77 = 3 c = m db mod n B = 17 17 mod 77 = 19 computes 05 17 mod 77 = 08; corresponding signature is 03 19 mod 77 = 57; claims signed 08 Judge computes c eb mod n B = 57 53 mod 77 = 08 Signature validated; is toast 11 Attack #2: s Revenge, agree to sign contract 06 enciphers, then signs: (m eb mod 77) da mod n A = (06 53 mod 77) 11 mod 95 = 63 now changes his public key Computes r such that 13 r mod 77 = 6; say, r = 59 Computes re B mod φ(n B ) = 59 53 mod 60 = 7 Replace public key e B with 7, private key d B = 43 claims contract was 13. Judge computes: (63 59 mod 95) 43 mod 77 = 13 Verified; now is toast 12 Page 6

El Gamal Digital Signature Relies on discrete log problem Choose p prime, g, d < p, compute y = g d mod p Public key: (y, g, p); private key: d To sign contract m: Choose k relatively prime to p 1, and not yet used Compute a = g k mod p Find b such that m = (da + kb) mod p 1 Signature is (a, b) To validate, check that y a a b mod p = g m mod p 13 Example chooses p = 29, g = 3, d = 6 y = 3 6 mod 29 = 4 wants to send signed contract 23 Chooses k = 5 (relatively prime to 28) This gives a = g k mod p = 3 5 mod 29 = 11 Then solving 23 = (6 11 + 5b) mod 28 gives b = 25 sends message 23 and signature (11, 25) verifies signature: g m mod p = 3 23 mod 29 = 8 and y a a b mod p = 4 11 11 25 mod 29 = 8 They match, so signed 14 Page 7

Attack Eve learns k, corresponding message m and signature (a, b) Extended Euclidean Algorithm gives d, the private key Example from above: Eve learned signed last message with k = 5 m = (da + kb) mod (p 1) = (11d + 5 25) mod 28 so s private key is d = 6 15 Digital Signature Standard (DSS) Developed by NSA Proposed in 1991, adopted as a standard in 1994 Modification of El Gamal signature scheme NIST Digital Signature Standard System-wide constants p 512-1024 bit prime (approx.170 digits) q 160 bit prime divisor of p-1 a = h ((p-1)/q) mod p, for chosen h with1<h<p-1 x selected random between 1 and q-1 inclusive y = a x mod p The public key is (p, q, a, y) 16 Page 8

Protocols: notation X Y : { Z W } k X,Y X sends Y the message produced by concatenating Z and W enciphered by key k X,Y, which is shared by users X and Y A T : { Z } k A { W } k A,T A sends T a message consisting of the concatenation of Z enciphered using k A, A s key, and W enciphered using k A,T, the key shared by A and T r 1, r 2 nonces (nonrepeating random numbers) 17 Session, Interchange Keys wants to send a message m to Assume public key encryption generates a random cryptographic key k s and uses it to encipher m To be used for this message only Called a session key She enciphers k s with s public key k B k B enciphers all session keys uses to communicate with Called an interchange key sends { m } k s { k s } k B 18 Page 9

Benefits Limits amount of traffic enciphered with single key Standard practice, to decrease the amount of traffic an attacker can obtain Prevents some attacks Example: will send message that is either BUY or SELL. Eve computes possible ciphertexts { BUY } k B and { SELL } k B. Eve intercepts enciphered message, compares, and gets plaintext at once 19 Key Exchange Algorithms Goal:, get shared key Key cannot be sent in clear Attacker can listen in Key can be sent enciphered, or derived from exchanged data plus data not known to an eavesdropper, may trust third party All cryptosystems, protocols publicly known Only secret data is the keys, or information known only to and needed to derive keys Anything transmitted is assumed known to attacker 20 Page 10

Classical Key Exchange Bootstrap problem: how do, begin? cannot send it to in the clear! Assume trusted third party, Cathy and Cathy share secret key k A and Cathy share secret key k B Use this to exchange shared key k s 21 Simple Protocol { request for session key to } k A Cathy { k s } k A { k s } k B Cathy { k s } k B 22 Page 11

Problems How does know he is talking to? Replay attack: Eve records message from to, later replays it; may think he s talking to, but he isn t Session key reuse: Eve replays message from to, so re-uses session key Protocols must provide authentication and defense against replay 23 Needham-Schroeder r 1 Cathy { r 1 k s { k s } k B } k A Cathy { k s } k B { r 2 } k s { r 2 1 } k s 24 Page 12

Argument: & talking Second message Enciphered using key only she, Cathy knows So Cathy enciphered it Response to first message As r 1 in it matches r 1 in first message Third message knows only can read it As only can derive session key from message Any messages enciphered with that key are from 25 Argument: talking to Third message Enciphered using key only he, Cathy know So Cathy enciphered it Names, session key Cathy provided session key, says is other party Fourth message Uses session key to determine if it is replay from Eve If not, will respond correctly in fifth message If so, Eve can t decipher r 2 and so can t respond, or responds incorrectly 26 Page 13

Denning-Sacco Modification Assumption: all keys are secret Question: suppose Eve can obtain session key. How does that affect protocol? In what follows, Eve knows k s Eve { k s } k B Eve Eve { r 2 } k s { r 2 1 } k s 27 Solution In protocol above, Eve impersonates Problem: replay in third step First in previous slide Solution: use time stamp T to detect replay Weakness: if clocks not synchronized, may either reject valid messages or accept replays Parties with either slow or fast clocks vulnerable to replay Resetting clock does not eliminate vulnerability 28 Page 14

Needham-Schroeder with Denning-Sacco Modification r 1 Cathy { r 1 k s { T k s } k B } k A Cathy { T k s } k B { r 2 } k s { r 2 1 } k s 29 Public Key Key Exchange Here interchange keys known e A, e B and s public keys known to all d A, d B and s private keys known only to owner Simple protocol k s is desired session key { k s } e B 30 Page 15

Problem and Solution Vulnerable to forgery or replay Because e B known to anyone, has no assurance that sent message Simple fix uses s private key k s is desired session key { { k s } d A } e B 31 Notes Can include message enciphered with k s Assumes has s public key, and vice versa If not, each must get it from public server If keys not bound to identity of owner, attacker Eve can launch a man-in-the-middle attack Solution to this (binding identity to keys) discussed later as public key infrastructure (PKI) 32 Page 16

Key Generation Goal: generate keys that are difficult to guess Problem statement: given a set of K potential keys, choose one randomly Equivalent to selecting a random number between 0 and K 1 inclusive Why is this hard: generating random numbers Actually, numbers are usually pseudo-random, that is, generated by an algorithm 33 Best Pseudorandom Numbers Strong mixing function: function of 2 or more inputs with each bit of output depending on some nonlinear function of all input bits Examples: DES, MD5, SHA-1 In UNIX-based multiuser systems, the list of all information about all processes on system 34 Page 17

Crypto Key Infrastructure Goal: bind identity to key Classical: not possible as all keys are shared Use protocols to agree on a shared key (seen earlier) Public key: bind identity to public key Crucial as people will use key to communicate with principal whose identity is bound to key Erroneous binding means no secrecy between principals Assume principal identified by an acceptable name 35 Key Distribution Solutions Certificate Authority: Centralized Approach Has a very well publicized public key, so that clients can be sure that they re talking to the CA This is the public key version of the Kerberos protocol 36 Page 18

Digital Certificates A digital certificate is an assertion Digitally signed by a certificate authority, famous and with known public key An assertion Typically an identity assertion, sometimes a list of authorizations Create token (message) containing Identity of principal (here, ) Corresponding public key Timestamp (when issued) Other information (perhaps identity of signer) signed by trusted authority (here, Cathy) C A = { e A T } d C 37 Use gets s certificate If he knows Cathy s public key, he can decipher the certificate When was certificate issued? Is the principal? Now has s public key Problem: needs Cathy s public key to validate certificate Problem pushed up a level Two approaches: Merkle s tree, signature chains 38 Page 19

Certificate Signature Chains Create certificate Generate hash of certificate Encipher hash with issuer s private key Validate Obtain issuer s public key Decipher enciphered hash Recompute hash from certificate and compare Problem: getting issuer s public key 39 Key Distribution Solutions Certificate Authority: Distributed Approach PGP web of trust Each client maintains a list of Who you know Transitive set of people that they have introduced you to Confidence ratings on Their identity Their veracity 40 Page 20

Storing Keys Multi-user or networked systems: attackers may defeat access control mechanisms Encipher file containing key Attacker can monitor keystrokes to decipher files Key will be resident in memory that attacker may be able to read Use physical devices like smart card Key never enters system Card can be stolen, so have 2 devices combine bits to make single key 41 Key Revocation Certificates invalidated before expiration Usually due to compromised key May be due to change in circumstance (e.g., someone leaving company) Problems Entity revoking certificate authorized to do so Revocation information circulates to everyone fast enough Network delays, infrastructure problems may delay information 42 Page 21

Key secrecy There are problems with truly secret keys: What if someone loses or forgets a key? What if the holder of the key resigns or is killed? What if the user is a criminal? On the other hand simply divulging the key to anybody (even - or perhaps especially! - the government) is very insecure Encryption Dilemma Public s need for secure communication Government s need for lawful access to information 43 Key Escrow A proposed solution is Key Escrow: The private key is broken into pieces, which can be verified to be correct Each piece is given to some authority The whole key can only be reconstructed if all the authorities agree This is the basis of the US Clipper Chip http://www.cosc.georgetown.edu/~denning http://www.cpsr.org/program/clipper/clipper.html 44 Page 22

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback