Identification Schemes

Similar documents
Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Cryptographic protocols

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

Computer Security CS 426 Lecture 35. CS426 Fall 2010/Lecture 35 1

Session key establishment protocols

Password. authentication through passwords

Notes for Lecture 24

Session key establishment protocols

Study Guide for the Final Exam

ECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

CS 161 Computer Security

HOST Authentication Overview ECE 525

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

A Mathematical Proof. Zero Knowledge Protocols. Interactive Proof System. Other Kinds of Proofs. When referring to a proof in logic we usually mean:

Zero Knowledge Protocols. c Eli Biham - May 3, Zero Knowledge Protocols (16)

CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong, Spring and 6 February 2018

Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena

Information Security CS 526

Dawn Song

Cryptography: Entity Authentication. Entity Identification (Authentication) Remarks. Objectives

Security Handshake Pitfalls

CSE 565 Computer Security Fall 2018

Zero Knowledge Protocol

Information Security CS 526

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

1 Identification protocols

CSA E0 312: Secure Computation October 14, Guest Lecture 2-3

MTAT Cryptology II. Entity Authentication. Sven Laur University of Tartu

10/1/2015. Authentication. Outline. Authentication. Authentication Mechanisms. Authentication Mechanisms. Authentication Mechanisms

Strong Password Protocols

Outline. Login w/ Shared Secret: Variant 1. Login With Shared Secret: Variant 2. Login Only Authentication (One Way) Mutual Authentication

Ideal Security Protocol. Identify Friend or Foe (IFF) MIG in the Middle 4/2/2012

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Cryptographic proof of custody for incentivized file-sharing

Authentication. Strong Password Protocol. IT352 Network Security Najwa AlGhamdi

CSC/ECE 774 Advanced Network Security

Key Exchange. References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings

T Cryptography and Data Security

CSC 774 Network Security

Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Security Handshake Pitfalls

Anonymous Password-based Authenticated Key Exchange

Password Authenticated Key Exchange by Juggling

Security Handshake Pitfalls

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

User Authentication Protocols

Homework 2 CS161 Computer Security, Spring 2008 Assigned 2/13/08 Due 2/25/08

User Authentication Protocols Week 7

6. Security Handshake Pitfalls Contents

CIS 4360 Secure Computer Systems Applied Cryptography

Introduction to Modern Cryptography. Benny Chor

2 Handout 20: Midterm Quiz Solutions Problem Q-1. On-Line Gambling In class, we discussed a fair coin ipping protocol (see lecture 11). In it, Alice a

Key Agreement Schemes

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

l20 nov zero-knowledge proofs

CS 395T. Formal Model for Secure Key Exchange

Appendix A: Introduction to cryptographic algorithms and protocols

L13. Reviews. Rocky K. C. Chang, April 10, 2015

ICS 180 May 4th, Guest Lecturer: Einar Mykletun

CSC 474 Network Security. Authentication. Identification

CS 161 Computer Security

Test 2 Review. (b) Give one significant advantage of a nonce over a timestamp.

HY-457 Information Systems Security

ENEE 459-C Computer Security. Security protocols

Security Handshake Pitfalls

Zero-Knowledge Proof and Authentication Protocols

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

AIT 682: Network and Systems Security

Authentication. Identification. AIT 682: Network and Systems Security

ENEE 459-C Computer Security. Security protocols (continued)

User Authentication. Modified By: Dr. Ramzi Saifan

Spring 2010: CS419 Computer Security

Digital Signatures. KG November 3, Introduction 1. 2 Digital Signatures 2

Lecture 10, Zero Knowledge Proofs, Secure Computation

UNIT - IV Cryptographic Hash Function 31.1

ID protocols. Overview. Dan Boneh

Secure Multiparty Computation: Introduction. Ran Cohen (Tel Aviv University)

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Lecture 6.2: Protocols - Authentication and Key Exchange II. CS 436/636/736 Spring Nitesh Saxena. Course Admin

Chapter 9: Key Management

CSC 5930/9010 Modern Cryptography: Public-Key Infrastructure

CS408 Cryptography & Internet Security

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

ECEN 5022 Cryptography

One-Time-Password-Authenticated Key Exchange

1. Diffie-Hellman Key Exchange

Contents Digital Signatures Digital Signature Properties Direct Digital Signatures

More crypto and security

Authentication Handshakes

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Cryptography and Network Security Chapter 13. Digital Signatures & Authentication Protocols

Applied Cryptography and Computer Security CSE 664 Spring 2017

User Authentication. Modified By: Dr. Ramzi Saifan

CSC 474/574 Information Systems Security

CS 161 Authentication Protocols. Zero knowledge review

Exercises with solutions, Set 3

Session Key Distribution

Secure Multiparty Computation

CSE 127: Computer Security Cryptography. Kirill Levchenko

Transcription:

Identification Schemes

Lecture Outline Identification schemes passwords one-time passwords challenge-response zero knowledge proof protocols

Authentication Data source authentication (message authentication): a message is generated by a specific party. Entity authentication (identification): the process whereby one party (the verifier) is assured of the identity of a second party (prover) involved in a protocol

Requirements of Identification Protocols Requirements of identification protocols for honest prover A and verifier B, A is able to convince B no other party can convince B in particular, B cannot convince C that it is A Kinds of attackers passive and replay active, man in the middle the verifier

Properties of Identification Protocols Computational efficiency Communication efficiency Security requirement of communication channels Trust in verifier Storage of secrets Involvement of a third party Nature of trust in the third party Nature of security: provable security

Authentication Using Fixed Passwords Prover authenticates to a verifier using a password. Require secure communication channels Total trust in verifier Passwords must be kept in encrypted form or just digests of passwords are kept. Attacks: Replay of fixed passwords Online exhaustive password search Offline password-guessing and dictionary attacks

Unix crypt Algorithm Used to store Unix passwords Information stored is /etc/passwd is: Iterated DES encryption of 0 (64 bits), using the password as key 12 bit random salt taken from the system clock time at the password creation Unix use salting to change the expansion function in DES to make dictionary attacks more difficult. also to prevent use of off-the-shelf DES chips

One-time passwords Each password is used only once Defend against passive adversaries who eavesdrop and later attempt to impersonate Variations shared lists of one-time passwords challenge-response table sequentially updated one-time passwords one-time password sequences based on a one-way function

Lamport s One-Time Password Stronger authentication than password-based One-time setup: A selects a value w, a hash function H(), and an integer t, computes w 0 = H t (w) and sends w 0 to B B stores w 0 Protocol: to identify to B for the i th time, 1 i t A sends to B: A, i, w i = H t-i (w) B checks i = i A, H(w i ) = w i-1 if both holds, i A = i A +1

Challenge-Response Protocols Goal: one entity authenticates to other entity proving the knowledge of a secret, challenge Time-variant parameters used to prevent replay, interleaving attacks, provide uniqueness and timeliness : nounce (used only once) Three types: Random numbers Sequences Timestamp

Challenge-Response Protocols Random numbers: pseudo-random numbers that are unpredictable to an adversary; need strong pseudo-random strings; must maintain state; Sequences: serial number or counters; long-term state information must be maintained by both parties+ synchronization Timestamp: provides timeliness and detects forced delays; requires synchronized clocks.

Challenge-response based on symmetric-key encryption Unilateral authentication, timestamp-based A to B: E K (t A, B) Unilateral authentication, random-number-based B to A: r B A to B: E K (r B, B) Mutual authentication, using random numbers B to A: r B A to B: E K (r A, r B, B) B to A: E K (r B, r A )

Challenge-Response Protocols Using Digital Signatures unilateral authentication with timestamp A B: cert A, t A, B, S A (t A, B) unilateral authentication with random numbers A B: r B A B: cert A, r A, B, S A (r A, r B, B) mutual authentication with random numbers A B: r B A B: cert A, r A, B, S A (r A, r B, B) A B: cert B, A, S B (r B, r A, A)

Zero-Knowledge Protocols Motivation: Password-based protocols: when Alice authenticates to a server, she gives her password, so the server can then impersonate her. Challenge-response improves on this, but still reveals partial information. Zero-knowledge protocols: allows a prover to prove that is posses a secret without revealing any information of use to the verifier.

Observations on the Protocol Multiple rounds Each round consists of 3 steps commit challenge respond If challenge can be predicted, then cheating is possible. cannot convince a third party (even if the party is online) If respond to more than one challenge with one commit, then the secret is revealed.

Zero Knowledge Proofs A kind of interactive proof system proof by interaction Involves a prover and a verifier Proving without revealing any other information

Two Kinds of Zero-Knowledge Proofs ZK proof of a statement convincing the verifier that a statement is true without yielding any other information example of a statement, a propositional formula is satisfiable ZK proof of knowledge of a secret convincing the verifier that one knows a secret, e.g., one knows the square root modulo N=pq

Properties Zero-Knowledge Proofs Properties of ZK Proofs: completeness honest prover who knows the secret convinces the verifier with overwhelming probability soundness no one who doesn t know the secret can convince the verifier with nonnegligible probability zero knowledge the proof does not leak any additional information How to formalize soundness and ZK?

Formalizing the Soundness Property The protocol should be a proof of knowledge A knowledge extractor exists that given a prover who can successfully convince the verifier, can extracts the secret

Formalizing ZK property For every possible verifier algorithm, a simulator exists taking what the verifier knows before the proof, can generate a communication transcript that is indistinguishable from one generated during ZK proofs honest verifier ZK considers only the verifier algorithm in the protocol Three kinds of indistinguishability perfect (information theoretic) statistical computational

Schnorr Id protocol (ZK Proof of Discrete Log) System parameter: p, q, g q (p-1) and g is an order q element in Z p * Public identity: v Private authenticator: s v = g -s mod p Protocol 1. A: picks random r in [1..q], sends x = g r mod p, 2. B: sends random challenge c in [1..2 t ] 3. A: sends y=sc+r mod q 4. B: accepts if x = (g y v c mod p)

Security of Schnorr Id protocol probability of forgery: 1/2 t soundness: ZK property honest verifier ZK not ZK if 2 t >log n is used

Converting Interactive ZK to Non-interactive ZK The only interactive role played by the verifier is to generate random challenges challenges not predictable by the prover The same thing can be done using oneway hash functions

Interactive ZK Implies Signatures Given a message M, replace the random challenge of the verifier by the one-way hash c=h(x M)

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback