CS3235 Seventh set of lecture slides

Similar documents
Spring 2010: CS419 Computer Security

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Chapter 9: Key Management

Chapter 9. Public Key Cryptography, RSA And Key Management

What did we talk about last time? Public key cryptography A little number theory

Secure Multiparty Computation

CS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Public Key Algorithms

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

Lecture 2 Applied Cryptography (Part 2)

CSC/ECE 774 Advanced Network Security

Cryptographic Checksums

Cryptography and Network Security

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Authentication Handshakes

Chapter 9 Public Key Cryptography. WANG YANG

Other Uses of Cryptography. Cryptography Goals. Basic Problem and Terminology. Other Uses of Cryptography. What Can Go Wrong? Why Do We Need a Key?

Overview. Public Key Algorithms I

CSC 474/574 Information Systems Security

Kurose & Ross, Chapters (5 th ed.)

Key Management and Distribution

Public Key Algorithms

EEC-682/782 Computer Networks I

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Cryptographic Protocols 1

1 Identification protocols

Number Theory and RSA Public-Key Encryption

CPSC 467b: Cryptography and Computer Security

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

Public Key Algorithms

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to talk so much?!? Content taken from the following:

CS 161 Computer Security

ח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms

CSC 774 Network Security

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Key Exchange. References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings

Study Guide for the Final Exam

Lecture 19: cryptographic algorithms

1. Diffie-Hellman Key Exchange

Public Key Cryptography

Cryptography and Network Security Chapter 10. Fourth Edition by William Stallings

Trusted Intermediaries

AIT 682: Network and Systems Security

CS Computer Networks 1: Authentication

CS61A Lecture #39: Cryptography

Topics. Number Theory Review. Public Key Cryptography

Module: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

Security Handshake Pitfalls

Security and Privacy in Computer Systems. Lecture 7 The Kerberos authentication system. Security policy, security models, trust Access control models

Outline More Security Protocols CS 239 Computer Security February 6, 2006

Introduction. Trusted Intermediaries. CSC/ECE 574 Computer and Network Security. Outline. CSC/ECE 574 Computer and Network Security.

L7: Key Distributions. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

Fall 2010/Lecture 32 1

Lecture 15: Cryptographic algorithms

CSC 474/574 Information Systems Security

LECTURE 4: Cryptography

Lecture 6 - Cryptography

Outline. More Security Protocols CS 239 Security for System Software April 22, Needham-Schroeder Key Exchange

Information Security CS 526

Key Establishment and Authentication Protocols EECE 412

Other Topics in Cryptography. Truong Tuan Anh

Secure Multiparty Computation

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to share so many secrets?!?

Chapter 3 Public Key Cryptography

CIS 6930/4930 Computer and Network Security. Topic 6.2 Authentication Protocols

Public Key Cryptography and the RSA Cryptosystem

Digital Signatures. KG November 3, Introduction 1. 2 Digital Signatures 2

22-security.txt Tue Nov 27 09:13: Notes on Security Protocols , Fall 2012 Carnegie Mellon University Randal E.

Security Handshake Pitfalls

CSCI 667: Concepts of Computer Security. Lecture 9. Prof. Adwait Nadkarni

Outline Key Management CS 239 Computer Security February 9, 2004

Lecture 30. Cryptography. Symmetric Key Cryptography. Key Exchange. Advanced Encryption Standard (AES) DES. Security April 11, 2005

1.264 Lecture 28. Cryptography: Asymmetric keys


CS 425 / ECE 428 Distributed Systems Fall 2017

Chapter 8 Security. Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

Overview. Cryptographic key infrastructure Certificates. May 13, 2004 ECS 235 Slide #1. Notation

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Crypto-systems all around us ATM machines Remote logins using SSH Web browsers (https invokes Secure Socket Layer (SSL))

Public Key Cryptography, OpenPGP, and Enigmail. 31/5/ Geek Girls Carrffots GVA

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

CPSC 467b: Cryptography and Computer Security

KEY AGREEMENT PROTOCOLS. CIS 400/628 Spring 2005 Introduction to Cryptography. This is based on Chapter 13 of Trappe and Washington

(2½ hours) Total Marks: 75

Encryption. INST 346, Section 0201 April 3, 2018

CS408 Cryptography & Internet Security

Digital Signatures. Public-Key Signatures. Arbitrated Signatures. Digital Signatures With Encryption. Terminology. Message Authentication Code (MAC)

Cryptography Symmetric Cryptography Asymmetric Cryptography Internet Communication. Telling Secrets. Secret Writing Through the Ages.

Chapter 10: Key Management

Transcription:

CS3235 Seventh set of lecture slides Hugh Anderson National University of Singapore School of Computing October, 2007 Hugh Anderson CS3235 Seventh set of lecture slides 1

Warp 9...

Outline 1 Public Key Systems Asymmetric encryption RSA 2 Hugh Anderson CS3235 Seventh set of lecture slides 3

Whats the idea? Public Key Systems Asymmetric encryption RSA A relatively recent new idea... In 1976 Diffie and Hellman published the paper New Directions in Cryptography, which first introduced the idea of public key cryptography. Public key cryptography relies on the use of enciphering functions which are not realistically invertible unless you have a deciphering key Easy to do one way - hard to do the other way. The discrete logarithm problem: easy to calculate n = g k mod p given g, k and p, hard to calculate k in the same equation, given g, n and p. Hugh Anderson CS3235 Seventh set of lecture slides 4

Diffie-Hellman key agreement Public Key Systems Asymmetric encryption RSA Two separated users create and share a secret key. A third party is not realistically able to calculate the shared key. Alice p,g,a a g mod p b g mod p Bob p,g,b b g mod p a g mod p p,g a g mod p b g mod p Ted Hugh Anderson CS3235 Seventh set of lecture slides 5

Knowledge is different Public Key Systems Asymmetric encryption RSA Consider what each participant knows... All participants know two system parameters p, and g Alice and Bob each have a secret value (Alice has a and Bob has b) Alice and Bob each calculate and exchange a public key (g a mod p for Alice and g b mod p for Bob). Ted knows g, p, g a mod p and g b mod p, but not a or b. Hugh Anderson CS3235 Seventh set of lecture slides 6

Diffie-Hellman key agreement Public Key Systems Asymmetric encryption RSA So what does each party do? Both Alice and Bob can now calculate the value g ab mod p. 1 Alice calculates (g b mod p) a mod p = (g b ) a mod p. 2 Bob calculates (g a mod p) b mod p = (g a ) b mod p. Shared key is (g b ) a mod p = (g a ) b mod p = g ab mod p. Ted has a much more difficult problem. It is difficult to calculate g ab mod p without knowing either a or b. The algorithmic run-time of the (so-far best) algorithm is: O(e c r log r ) where c is small, but 1, and r is the number of bits Hugh Anderson CS3235 Seventh set of lecture slides 7

Diffie-Hellman key agreement Public Key Systems Asymmetric encryption RSA By contrast, the enciphering and deciphering process may be done in O(r) Bit size Enciphering Discrete logarithm solution 10 10 23 100 100 1,386,282 1,000 1,000 612,700,000,000,000,000,000,000 Hugh Anderson CS3235 Seventh set of lecture slides 8

Uses of asymmetric encryption Public Key Systems Asymmetric encryption RSA What use is asymmetric encryption? 1 Generating encrypted passwords with 1-way functions 2 Checking integrity by appending digital signature 3 Checking the authenticity of a message. 4 Encrypting timestamps with messages to prevent replay attacks. 5 Exchanging a key. Note that... Participants each have private and public keys Keys cannot be derived from each other Hugh Anderson CS3235 Seventh set of lecture slides 9

Asymmetric encryption Public Key Systems Asymmetric encryption RSA A model for public/private keys Alice P (Plaintext) (Encrypted) Bob K pub[p] * * P (Plaintext) K pub K priv K pub K priv Alice uses K pub to encrypt Harry the hacker Bob creates a pair of K keys Freely gives away Kpub Keeps K priv secret. K pub is public key for Bob, K priv is his private key. Only Bob can decrypt Hugh Anderson CS3235 Seventh set of lecture slides 10

Asymmetric authentication Public Key Systems Asymmetric encryption RSA A model for asymmetric authentication Jpriv Jpub Alice P (Plaintext) (Encrypted) Bob J priv [P] * * P (Plaintext) Jpriv J pub K priv K pub Alice creates a pair of J keys Alice uses J priv to encrypt Harry the hacker... O.K.... Bob decrypts with Jpub J priv is private key for Alice, J pub is her public key. Only Alice could have encrypted message Hugh Anderson CS3235 Seventh set of lecture slides 11

Authentication and encryption Public Key Systems Asymmetric encryption RSA Can both authenticate and encrypt... Barbara George J J priv [hash(p)] priv * * J pub Hash function P (Plaintext) * K pub[p] * Hash function (Compare) P (Plaintext) Jpriv J pub K pub K priv K priv K pub Making sure of digital signatures. Hash function... Hugh Anderson CS3235 Seventh set of lecture slides 12

RSA (Rivest, Shamir, Adelman) Public Key Systems Asymmetric encryption RSA RSA is a well known public key encryption technique: This public key system relies on the difficult problem of trying to find the complete factorization of a large composite a integer whose prime factors b are not known. a An integer larger than 1 is called composite if it has at least one divisor larger than 1. b The Fundamental Theorem of Arithmetic states that any integer N (greater than 0) may be expressed uniquely as the product of prime numbers. Hugh Anderson CS3235 Seventh set of lecture slides 13

RSA hacks Public Key Systems Asymmetric encryption RSA How easy is it to crack? Two RSA-encrypted messages have been cracked: The inventors of RSA published a 129-digits (430 bits) RSA public key. In 1994, it was factored with 5000 MIPS-years of computing time. A year later, a 384-bit PGP key was cracked. It needed 1300 MIPS-years to factor the key in three months. Note that these efforts each only cracked a single RSA key. Hugh Anderson CS3235 Seventh set of lecture slides 14

RSA coding algorithms Public Key Systems Asymmetric encryption RSA The four processes needed for RSA encryption: 1 Creating a public key 2 Creating a secret key 3 Encrypting messages 4 Decoding messages Hugh Anderson CS3235 Seventh set of lecture slides 15

Public Key Systems Asymmetric encryption RSA To create public key K p and private key K s Step 1 - create public key 1 Select two different large primes P and Q. 2 Assign x = (P 1)(Q 1). (Does this ring a bell?) 3 Choose E relative prime to x. 4 Assign N = P Q. 5 K p is N concatenated with E. Step 2 - create private/secret key 1 Choose D: D E mod x = 1 (i.e. multiplicative inverses) or - put another way: DE = k(p 1)(Q 1) + 1 2 K s is N concatenated with D. Hugh Anderson CS3235 Seventh set of lecture slides 16

Public Key Systems Asymmetric encryption RSA To encode and decode plain text m Step 3 - encoding 1 Pretend m is a number. 2 Calculate c = m E mod N. Step 4 - decoding 1 Calculate m = c D mod N. 2...WHY?... Hugh Anderson CS3235 Seventh set of lecture slides 17

...Why?... Public Key Systems Asymmetric encryption RSA Note that it decodes back to m c D mod N = m ED mod N = m k(p 1)(Q 1)+1 mod PQ = m m k(p 1)(Q 1) modpq = m m P 1 mod P = 1, so (m (P 1) ) k(q 1) modp = 1 m Q 1 mod Q = 1, and so (tutorial) (m (P 1) ) k(q 1) modpq = 1. Hugh Anderson CS3235 Seventh set of lecture slides 18

RSA code Public Key Systems Asymmetric encryption RSA Perl script that (kind of) does RSA #!/usr/bin/perl -sp0777i<x+d*lmla^*ln%0]dsxx++lmln/ds M0<j]dsj$/=unpack( H*,$_);$_= echo 16dio\U$k"SK$/SM $n\esn0p[ln*1lk[d2%sa2/d0$^ixp" dc ;s/\w//g;$_= pack( H*,/((..)*)$/) and then echo "squeamish ossifrage"./rsa.perl -k=10001 -n=1967cb529 > msg.rsa./rsa.perl -d -k=ac363601 -n=1967cb529 < msg.rsa Hugh Anderson CS3235 Seventh set of lecture slides 19

Hub Hub Hub Hub Hub Hub Hub Hub New topic:... Consider the Internet - routers and hosts Host computer(s) Router computer(s) Host computer(s) Host computer(s) Lots of opportunity to snoop, modify, DoS, etc etc Hugh Anderson CS3235 Seventh set of lecture slides 20

Routing and packets... Internet traffic sent in packets... Routing info added (to and from addresses, size, type of message, sequence number) Little message Lots of opportunity to modify routing information, spoof etc Hugh Anderson CS3235 Seventh set of lecture slides 21

/Cerberus Three headed dog which guards the gates of hell... Hugh Anderson CS3235 Seventh set of lecture slides 22

What is it? Network authentication protocol. Strong authentication for client/server applications using public key cryptography. is freely available in source form is also available in commercial products. Client can prove its identity to a server (and vice versa) across an insecure network connection. Hugh Anderson CS3235 Seventh set of lecture slides 23

Authentication... and encryption. After a client and server have used to prove their identity, they can also encrypt all of their communications to assure privacy and data integrity as they go about their business. Must have a Key Distribution Center (KDC) uses Needham-Schroeder protocol. Hugh Anderson CS3235 Seventh set of lecture slides 24

Sequence of messages for granting tickets KDC Authentication Ticket granting (1) (2) (3) (4) (5) Server (6) Client Hugh Anderson CS3235 Seventh set of lecture slides 25

Sequence of messages for granting tickets When a client first authenticates to, she: 1 Talks to KDC, to get a Ticket Granting Ticket 2 Uses that to talk to the Ticket Granting Service 3 Uses the ticket, to interact with the server. This way a user doesn t have to reenter passwords every time they wish to connect to a Kerberized service. If the Ticket Granting Ticket is compromised, an attacker can only masquerade as a user until the ticket expires. Hugh Anderson CS3235 Seventh set of lecture slides 26

protocol Two sorts of credentials: tickets and authenticators: 1 A ticket T c,s contains the client s name and network address, the server s name, a timestamp and a session key. This is encrypted with the server s secret key (so that the client is unable to modify it). 2 An authenticator A c,s contains the client s name, a timestamp and an optional extra session key. This is encrypted with the session key shared between the client and the server. Hugh Anderson CS3235 Seventh set of lecture slides 27

protocol Notation A key K x,y is a session key shared by both x and y. When we encrypt a message M using the key K x,y we write it as {M}K x,y. Hugh Anderson CS3235 Seventh set of lecture slides 28

protocol Alice wants session key for communication with Bob: Alice sends message to Ted containing her identity, Ted s TGS identity, and one-time value (n) : {a, tgs, n}. Ted responds with a key encrypted with Alice s secret key (which Ted knows), and a ticket encrypted with the TGS secret key: {K a,tgs, n}k a {T a,tgs }K tgs. Alice now has ticket and session key: {T a,tgs }K tgs, K a,tgs Alice can prove her identity to the TGS, as she has session key K a,tgs, and Ticket Granting Ticket: {T a,tgs }K tgs. Hugh Anderson CS3235 Seventh set of lecture slides 29

protocol Later, Alice can ask the TGS for a specific service ticket: When Alice wants a ticket for a specific service (say with Bob), she sends an authenticator along with the Ticket Granting Ticket to the TGS: {A a,b }K a,tgs {T a,tgs }K tgs, b, n. The TGS responds with a suitable key and a ticket: {K a,b, n}k a,tgs {T a,b }K b. Alice can now use an authenticator and ticket directly with Bob: {A a,b }K a,b {T a,b }K b. Hugh Anderson CS3235 Seventh set of lecture slides 30

Weaknesses Properties of the protocol Host security: makes no provisions for host security; it assumes that it is running on trusted hosts with an untrusted network. KDC compromises: uses a principal s password (encryption key) as the fundamental proof of identity. Salt: This is an additional input to the one-way hash algorithm. Hugh Anderson CS3235 Seventh set of lecture slides 31

A voting protocol is one in which... independent systems vote in a kind of election, and afterwards we can check that the vote was correct. Each voter is only allowed a single vote, and the system should be corruption-proof. Hugh Anderson CS3235 Seventh set of lecture slides 32

A voting protocol... Example with Alice, Bob and Charles (!), who vote and then encrypt and sign a series of messages using public-key encryption. For example, if Alice votes v A, then she will broadcast to all other voters the message R A (R B (R C (E A (E B (E C (v A )))))) where R A is a random encoding function which adds a random string to a message before encrypting it with A s public key, and E A is public key encryption with A s public key. Hugh Anderson CS3235 Seventh set of lecture slides 33

At the end, everybody can check... Each voter then signs the message and decrypts one level of the encryption. At the end of the protocol, each voter has a complete signed audit trail and is ensured of the validity of the vote. Hugh Anderson CS3235 Seventh set of lecture slides 34

Tossing a coin Lets pretend we are gambling... Alice and Bob want to toss a coin Alice calculates two primes p, q and calculates N = pq, sends N to Bob. N = 35 = 5 7 If Bob can factorize the number, then Bob wins a coin toss. Bob selects random x, and sends x 2 mod N = y to Alice. y = 31 2 mod 35 = 16 Hugh Anderson CS3235 Seventh set of lecture slides 35

Tossing a coin And then Alice does this: Alice calculates the four square roots of 16: 1 4 2 mbox 35 = 16 2 31 2 mbox 35 = 16 3 24 2 mbox 35 = 16 4 11 2 mbox 35 = 16 This is easy for Alice, as she knows the prime factors of N. She then sends one of these back to Bob. Hugh Anderson CS3235 Seventh set of lecture slides 36

Tossing a coin So what does Bob do? If Bob receives x or x, then he learns nothing, but if Bob receives either of the other values: GCD(24 + 31, 35) = GCD(55, 35) = 5 Alice is unable to tell she has divulged the factor Hugh Anderson CS3235 Seventh set of lecture slides 37

Oblivious transfer... In an oblivious transfer, randomness is used to convince participants of the fairness of some transaction In a coin-tossing example, Alice knows the prime factors of a large number, and if Bob can factorize the number, then Bob wins a coin toss. A protocol allows Alice to either divulge one of the prime factors to Bob, or not, with equal probability. Alice is unable to tell if she has divulged the factor, and so the coin toss is fair. Hugh Anderson CS3235 Seventh set of lecture slides 38

Contract signing Signing contracts can be difficult: If one party signs the contract, the other may not. We have one party bound by the contract, and the other not. In addition, both may sign, and then one may say I didn t sign any contract! afterwards. Hugh Anderson CS3235 Seventh set of lecture slides 39

Contract signing Use oblivious transfer for contract signing... Oblivious transfer used for contract-signing where Up to a certain point neither party is bound After that point both parties are bound Either party can prove that the other party signed Alice and Bob exchange signed messages, agreeing to be bound by a contract with ever-increasing probability Hugh Anderson CS3235 Seventh set of lecture slides 40

Contract signing What if someone tries to terminate early? In the event of early termination of the contract, either party can take the messages they have to an adjudicator, who chooses a random probability value (42% say) before looking at the messages. If both messages are over 42% then both parties are bound. If less then both parties are free. Hugh Anderson CS3235 Seventh set of lecture slides 41

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback