Randomness Extractors. Secure Communication in Practice. Lecture 17

Similar documents
Cryptography. and Network Security. Lecture 0. Manoj Prabhakaran. IIT Bombay

CS155. Cryptography Overview

Verifying Real-World Security Protocols from finding attacks to proving security theorems

Cryptography. Lecture 12. Arpita Patra

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Summary on Crypto Primitives and Protocols

Findings for

Auth. Key Exchange. Dan Boneh

WAP Security. Helsinki University of Technology S Security of Communication Protocols

CS155. Cryptography Overview

Security: Cryptography

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Message authentication codes

Cryptographic Primitives A brief introduction. Ragesh Jaiswal CSE, IIT Delhi

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

Information Security CS 526

Defeating All Man-in-the-Middle Attacks

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

CSC 774 Network Security

Cryptography (Overview)

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

Homework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

CSE 127: Computer Security Cryptography. Kirill Levchenko

1 Achieving IND-CPA security

Feedback Week 4 - Problem Set

Information Security CS526

Symmetric Encryption 2: Integrity

Unit 8 Review. Secure your network! CS144, Stanford University

CSC/ECE 774 Advanced Network Security

DROWN - Breaking TLS using SSLv2

Crypto Background & Concepts SGX Software Attestation

Cryptography Lecture 4. Attacks against Block Ciphers Introduction to Public Key Cryptography. November 14, / 39

Lecture 15 PKI & Authenticated Key Exchange. COSC-260 Codes and Ciphers Adam O Neill Adapted from

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Lecture 1: Course Introduction

symmetric cryptography s642 computer security adam everspaugh

David Wetherall, with some slides from Radia Perlman s security lectures.

CSC 5930/9010 Modern Cryptography: Public-Key Infrastructure

T Cryptography and Data Security

Cryptography Overview

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 7, 2013

CS 395T. Formal Model for Secure Key Exchange

Authenticated Encryption

But where'd that extra "s" come from, and what does it mean?

Lecture 20 Public key Crypto. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller and Bailey s ECE 422

: Practical Cryptographic Systems March 25, Midterm

Cryptographic hash functions and MACs

Chapter 4: Securing TCP connections

Computer Security CS 526

UNIT - IV Cryptographic Hash Function 31.1

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2014

Internet security and privacy

Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage

CSE484 Final Study Guide

Security. Communication security. System Security

Transport Layer Security

SSH Algorithms for Common Criteria Certification

TLS1.2 IS DEAD BE READY FOR TLS1.3

Security issues: Encryption algorithms. Threats Methods of attack. Secret-key Public-key Hybrid protocols. CS550: Distributed OS.

Lecture 14 Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze. 1 A Note on Adaptively-Secure NIZK. 2 The Random Oracle Model

Transport Level Security

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

Cryptography. Andreas Hülsing. 6 September 2016

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

CS 161 Computer Security

TLS Security and Future

Transport Layer Security

TLSnotary - a mechanism for independently audited https sessions

Lecture 4: Authentication and Hashing

Lecture 1 Applied Cryptography (Part 1)

CSC 474/574 Information Systems Security

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Protecting TLS from Legacy Crypto

CS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

CS Paul Krzyzanowski

Computer Security Exam 2 Review. Paul Krzyzanowski. Rutgers University. Spring 2018

Practical Aspects of Modern Cryptography

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

Refresher: Applied Cryptography

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

symmetric cryptography s642 computer security adam everspaugh

Analysis, demands, and properties of pseudorandom number generators

CS 161 Computer Security

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

SSL / TLS. Crypto in the Ugly Real World. Malvin Gattinger

Meru Networks. Security Gateway SG1000 Cryptographic Module Security Policy Document Version 1.2. Revision Date: June 24, 2009

Cryptography Overview

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Lecture 10: Communications Security

Acronyms. International Organization for Standardization International Telecommunication Union ITU Telecommunication Standardization Sector

Overview of TLS v1.3 What s new, what s removed and what s changed?

Introduction. INF3510 Information Security. Lecture 10: Communications Security. Outline. Network Security Concepts. University of Oslo Spring 2018

Data Integrity. Modified by: Dr. Ramzi Saifan

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

CS 161 Computer Security

Cryptography 2017 Lecture 3

Lecture 30. Cryptography. Symmetric Key Cryptography. Key Exchange. Advanced Encryption Standard (AES) DES. Security April 11, 2005

Transcription:

Randomness Extractors. Secure Communication in Practice Lecture 17

11:00-12:30 What is MPC? Manoj Monday 2:00-3:00 Zero Knowledge Muthu 3:30-5:00 Garbled Circuits Arpita Yuval Ishai Technion & UCLA 9:00-10:30 Randomized Encoding Yuval Tuesday 11:00-12:30 Oblivious Transfer Arpita 2:00-3:30 Composition Muthu Muthu Venkitasubramaniam U Rochester 4:00-5:00 MPC Complexity Manoj Arpita Patra IISc 9:00-10:30 Honest-Majority MPC Vassilis Wednesday 11:00-12:30 "MPC in the head Yuval Vassilis Zikas RPI 2:00-3:00 Asynchronous MPC Vassilis Manoj Prabhakaran IIT Bombay

Randomness Extraction

Randomness Extractors Consider a PRG which outputs a pseudorandom group element in some complicated group A standard bit-string representation of a random group element may not be (pseudo)random Can we efficiently map it to a pseudorandom bit string? Depends on the group... Suppose a chip for producing random bits shows some complicated dependencies/biases, but still is highly unpredictable Can we purify it to extract uniform randomness? Depends on the specific dependencies... A general tool for purifying randomness: Randomness Extractor

Randomness Extractors Statistical guarantees (output not just pseudorandom, but truly random, if input has sufficient entropy) 2-Universal Hash Functions Optimal in all parameters except seed length Constructions with shorter seeds known e.g. Based on expander graphs

Randomness Extractors Strong extractor: output is random even when the seed for extraction is revealed 2-UHF is an example Useful in key agreement Alice and Bob exchange a non-uniform key, with a lot of pseudoentropy for Eve (say, g xy ) Alice sends a random seed for a strong extractor to Bob, in the clear Key derivation: Alice and Bob extract a new key, which is pseudorandom (i.e., indistinguishable from a uniform bit string)

Randomness Extractors Pseudorandomness Extractors (a.k.a. computational extractors): output is guaranteed only to be pseudorandom if input has sufficient (pseudo)entropy Key Derivation Function: Strong pseudorandomness extractor Cannot directly use a block-cipher, because pseudorandomness required even when the randomly chosen seed is public ( salt ) Extract-Then-Expand: Enough to extract a key for a PRF Can be based on HMAC or CBC-MAC: Statistical guarantee, if compression function/block-cipher is a random function/ random permutation Models IPsec Key Exchange (IKE) protocol. HMAC version later standardised as HKDF.

Randomness Extractors Extractors for use in system Random Number Generator (think /dev/random) Additional issues: Online model, with a variable (and unknown) rate of entropy accumulation Should recover from compromise due to low entropy phases Constructions provably secure in such models known Using PRG (e.g., AES in CTR mode), universal hashing and pool scheduling (similar to Fortuna, used in Windows)

Secure Communication In Practice

We saw... Symmetric-Key Components SKE, MAC Public-Key Components PKE, Digital Signatures Building blocks: Block-ciphers (AES), Hash-functions (SHA-3), Trapdoor PRG/OWP for PKE (e.g., DDH, RSA) and Random Oracle heuristics (in RSA-OAEP, RSA-PSS) Symmetric-Key primitives much faster than Public-Key ones Hybrid Encryption gets best of both worlds

Secure Communication in Practice Can do at application-level e.g. between web-browser and web-server Or lower-level infrastructure to allow use by more applications e.g. between OS kernels, or between network gateways Standards in either case To be interoperable To not insert bugs by doing crypto engineering oneself e.g.: SSL/TLS (used in https), IPSec (in the network layer )

Security Architectures Security architecture (client perspective) (An example) From the IBM WebSphere Developer Technical Journal

Secure Communication Infrastructure Goal: a way for Alice and Bob to get a private and authenticated communication channel (can give a detailed SIM-definition) Simplest idea: Use a (SIM-CCA secure) public-key encryption (possibly a hybrid encryption) to send signed (using an existentially unforgeable signature scheme) messages (with sequence numbers and channel id) Limitation: Alice, Bob need to know each other s public-keys But typically Alice and Bob engage in transactions, exchanging multiple messages, maintaining state throughout the transaction Makes several efficiency improvements possible

Secure Communication Infrastructure Secure Communication Sessions Handshake protocol: establish private shared keys (Authenticated) Key-Exchange Record protocol: use efficient symmetric-key schemes Server-to-server communication: Both parties have (certified) public-keys Client-server communication: server has (certified) public-keys Client knows server. Server willing to talk to all clients Client-Client communication (e.g., email) Clients share public-keys in ad hoc ways Server may know (some) clients too, using passwords, pre-shared keys, or if they have (certified) public-keys. Often implemented in application-layer

Certificate Authorities How does a client know a server s public-key? Based on what is received during a first session? (e.g., first ssh connection to a server) Better idea: Chain of trust Client knows a certifying authority s public key (for signature)

Certificate Authorities How does a client know a server s public-key? Based on what is received during a first session? (e.g., first ssh connection to a server) Better idea: Chain of trust Client knows a certifying authority s public key (for signature) Bundled with the software/hardware Certifying Authority signs the signature PK of the server CA is assumed to have verified that the PK was generated by the correct server before signing Validation standards: Domain/Extended validation

Forward Secrecy Servers have long term public keys that are certified Would be enough to have long term signature keys, but in practice long term encryption keys too Problem: if the long term key is leaked, old communications are also revealed Adversary may have already stored, or even actively participated in old sessions Solution: Use fresh public-keys/do a fresh key-exchange for each session (authenticated using signatures)

A Simple Secure Communication Scheme Handshake Client sends session keys for MAC and SKE to the server using SIM-CCA secure PKE, with server s PK (i.e. over an unauthenticated, but private channel) For authentication only: use MAC Server s PK either trusted (from a previous session for e.g) or certified by a trusted CA, using a Digital Signature scheme Need to avoid replay attacks (infeasible for server to explicitly check for replayed ciphertexts) In fact, a stream-mac : To send more than one message, but without allowing reordering For authentication + (CCA secure) encryption: encrypt-then-mac stream-cipher, and stream-mac Recall inefficient domainextension of MAC: Add a session-specific nonce and a sequence number to each message before MAC ing Authentication for free: MAC serves dual purposes!

TLS (SSL) Handshake Client sends session keys for MAC and SKE to the server using SIM-CCA secure PKE, with server s PK (i.e. over an unauthenticated, but private channel) For authentication only: use MAC In fact, a stream-mac : To send more than one message, but without allowing reordering For authentication + (CCA secure) encryption: encrypt-then-mac stream-cipher, and stream-mac Negotiations on protocol version etc. and cipher suites (i.e., which PKE/ key-exchange, SKE, MAC (and CRHF)). e.g. cipher-suite: RSA-OAEP for keyexchange, AES for SKE, HMAC-SHA256 for MAC Server sends a certificate of its PKE public-key, which the client verifies Server also contributes to keygeneration (to avoid replay attack issues): Roughly, client sends a key K for a PRF; a master key generated as PRF K (x,y) where x from client and y from server. SKE and MAC keys derived from master key Uses MAC-then-encrypt! Not CCA secure in general, but secure with stream-cipher (and with some other modes of block-ciphers, like CBC) Several details on closing sessions, session caching, resuming sessions

TLS: Some Considerations Overall security goal: Authenticated and Confidential Channel Establishment (ACCE), or Server-only ACCE Handshake Protocol Cipher suites are negotiated, not fixed Downgrade attacks Doesn t use CCA secure PKE, but overall CCA secure if error in decryption never revealed (tricky to ensure!) Record Protocol Using MAC-then-Encrypt is tricky: CCA-secure when using SKE implemented using a stream cipher (or block-cipher in CTR mode) or CBC-MAC But insecure if it reveals information from decryption phase. e.g., different times taken by MAC check (or different error messages!) when a format error in decrypted message

TLS: Some Considerations Numerous vulnerabilities keep surfacing FREAK, DROWN, POODLE, Heartbleed, Logjam, And numerous unnamed ones: www.openssl.org/news/vulnerabilities.html Listed as part of Common Vulnerabilities and Exposures (CVE) list: cve.mitre.org/ Bugs in protocols Often in complex mechanisms created for efficiency Often facilitated by the existence of weakened export grade encryption and improved computational resources Also because of weaker legacy encryption schemes (e.g. Encryption from RSA PKCS#1 v1.5 known to be not CCA secure and replaced in 1998 is still used in TLS) Bugs in implementations Side-channels originally not considered Back-Doors (?) in the primitives used in the standards

TLS: Some Considerations Numerous vulnerabilities keep surfacing FREAK, DROWN, POODLE, Heartbleed, Logjam, And numerous unnamed ones: www.openssl.org/news/vulnerabilities.html Listed as part of Common Vulnerabilities and Exposures (CVE) list: cve.mitre.org/ Bugs in protocols Often in complex mechanisms created for efficiency Often facilitated by the existence of weakened export grade encryption and improved computational resources Also because of weaker legacy encryption schemes (e.g. Encryption from RSA PKCS#1 v1.5 known to be not CCA secure and replaced in 1998 is still used in TLS) Bugs in implementations Side-channels originally not considered 5 (Kenny Paterson & Thyla van der Merwe, Dec 2016 ) Back-Doors (?) in the primitives used in the standards

Beyond Communication Encryption/Authentication used for data at rest e.g., disk encryption, storing encrypted data on a cloud server, Security definitions like SIM-CCA do not directly extend to all these settings New concerns that do not arise in setting up communication channels e.g., circular (in)security: encrypting the SK using its own PK

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback