Introduction to Modern Cryptography. Benny Chor

Similar documents
CPSC 467b: Cryptography and Computer Security

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

CS Computer Networks 1: Authentication

Zero Knowledge Protocol

Lecture 10, Zero Knowledge Proofs, Secure Computation

Public Key Cryptography and the RSA Cryptosystem

1 Identification protocols

Dawn Song

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

ECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

Authentication. Strong Password Protocol. IT352 Network Security Najwa AlGhamdi

Digital Signatures. KG November 3, Introduction 1. 2 Digital Signatures 2

Cryptographic protocols

Strong Password Protocols

Study Guide for the Final Exam

Identification Schemes

E-cash. Cryptography. Professor: Marius Zimand. e-cash. Benefits of cash: anonymous. difficult to copy. divisible (you can get change)

Cryptographic proof of custody for incentivized file-sharing

Lecture 7 - Applied Cryptography

ECEN 5022 Cryptography

COIN FLIPPING BY TELEPHONE

CS 161 Authentication Protocols. Zero knowledge review

HY-457 Information Systems Security

Other Uses of Cryptography. Cryptography Goals. Basic Problem and Terminology. Other Uses of Cryptography. What Can Go Wrong? Why Do We Need a Key?

A Mathematical Proof. Zero Knowledge Protocols. Interactive Proof System. Other Kinds of Proofs. When referring to a proof in logic we usually mean:

Zero Knowledge Protocols. c Eli Biham - May 3, Zero Knowledge Protocols (16)

Lecture 9. Authentication & Key Distribution

Cryptography III Want to make a billion dollars? Just factor this one number!

2 Handout 20: Midterm Quiz Solutions Problem Q-1. On-Line Gambling In class, we discussed a fair coin ipping protocol (see lecture 11). In it, Alice a

CS 425 / ECE 428 Distributed Systems Fall 2017

Security Handshake Pitfalls

Test 2 Review. 1. (10 points) Timestamps and nonces are both used in security protocols to prevent replay attacks.

CPSC 467: Cryptography and Computer Security

Test 2 Review. (b) Give one significant advantage of a nonce over a timestamp.

Algorithms (III) Yijia Chen Shanghai Jiaotong University

Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

CS 161 Computer Security

Crypto-systems all around us ATM machines Remote logins using SSH Web browsers (https invokes Secure Socket Layer (SSL))

Algorithms (III) Yu Yu. Shanghai Jiaotong University

Security Handshake Pitfalls

CS 161 Computer Security

Ideal Security Protocol. Identify Friend or Foe (IFF) MIG in the Middle 4/2/2012

Lecture 3 Algorithms with numbers (cont.)

Secrets & Lies, Knowledge & Trust. (Modern Cryptography) COS 116 4/20/2006 Instructor: Sanjeev Arora

What did we talk about last time? Public key cryptography A little number theory

CPSC 467b: Cryptography and Computer Security

Digital Multi Signature Schemes Premalatha A Grandhi

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

Spring 2010: CS419 Computer Security

Kurose & Ross, Chapters (5 th ed.)

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Chapter 9 Public Key Cryptography. WANG YANG

Forward-Secure Signatures for Unbounded Time Periods in Mobile Computing Applications

Chapter 13. Digital Cash. Information Security/System Security p. 570/626

CS 161 Computer Security

Introduction to Cryptography. Ramki Thurimella

Computer Security Fall 2006 Joseph/Tygar MT 2 Solutions

Cryptography: More Primitives

Homework 2 CS161 Computer Security, Spring 2008 Assigned 2/13/08 Due 2/25/08

CSE 127: Computer Security Cryptography. Kirill Levchenko

ח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms

Using Commutative Encryption to Share a Secret

Authentication and Key Distribution

CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong, Spring and 6 February 2018

CT30A8800 Secured communications

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

Cryptographic Protocols 1

Key Exchange. References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings

Cryptography and Network Security

Introduction to Cryptography Lecture 10

Fall 2010/Lecture 32 1

CS549: Cryptography and Network Security

CS 161 Computer Security

CPSC 467b: Cryptography and Computer Security

Outline Key Management CS 239 Computer Security February 9, 2004

ICS 180 May 4th, Guest Lecturer: Einar Mykletun

Introduction to Cryptography in Blockchain Technology. December 23, 2018

Securing Internet Communication: TLS

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Zero-Knowledge Proofs. Zero-Knowledge Proofs. Slides from a Talk by Eric Postpischil

5. Authentication Contents

More crypto and security

User Authentication. Modified By: Dr. Ramzi Saifan

CS3235 Seventh set of lecture slides

Zero-Knowledge Proof and Authentication Protocols

Public-Key Infrastructure NETS E2008

CS 361S - Network Security and Privacy Spring Homework #1

APPLICATIONS AND PROTOCOLS. Mihir Bellare UCSD 1

CS 161 Computer Security

P2_L8 - Hashes Page 1

Interested in learning more? Global Information Assurance Certification Paper. Copyright SANS Institute Author Retains Full Rights

1. Diffie-Hellman Key Exchange

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

Lecture 30. Cryptography. Symmetric Key Cryptography. Key Exchange. Advanced Encryption Standard (AES) DES. Security April 11, 2005

Encryption. INST 346, Section 0201 April 3, 2018

Key distribution and certification

13/10/2013. Kerberos. Key distribution and certification. The Kerberos protocol was developed at MIT in the 1980.

User Authentication. Modified By: Dr. Ramzi Saifan

Transcription:

Introduction to Modern Cryptography Benny Chor Identification (User Authentication) Fiat-Shamir Scheme Lecture 12 Tel-Aviv University 4 January 2010

Model and Major Issues Alice wishes to prove to Bob her identity, in order to access a resource, obtain a service, etc. Bob may ask the following: Who are you? (prove that you are Alice) Who the &$@* is Alice? Eve wishes to impersonate Alice: One time impersonation. Full impersonation (identity theft).

Different Scenarios where Identification Required Local identification (identified person is present) Human authenticator. Device (e.g. BGU airport; Entry points to the US). Remote identification Human authenticator Corporate environment (e.g. over a LAN) E-commerce environment Cable TV/Satellite: Pay-per-view; subscription verification Remote login or e-mail from an internet cafe.

Initial Authentication is Highly Vulnerable The problem: how does Alice initially convince anyone that she is indeed Alice? Solution must often involve a?real-world? type of authentication ID card, driver s license, etc. Errors due to the human factor are quite frequent. A famous incident took place in 2001, when VeriSign, the largest digital-signature certificate authority, was tricked into issuing Class 3 code-signing digital certificates to someone fraudulently claiming to work for Microsoft. Even in scenarios where OK for Alice to be whoever she claims she is, may want to at least make sure Alice is human (implemented, e.g. for new users attempting to join Yahoo mail).

Closed Environments The initial authentication problem is fully solved by a trusted party, Carol. Carol can distribute the identification material in a secure fashion, e.g by hand, or over encrypted and authenticated lines. Example a corporate environment. Eve s attack avenue is the Alice-Bob connection. We begin by looking at remote authentication, using a specific scheme.

Fiat-Shamir Identification Scheme Initialization. Set Up. Basic Construction. Improved Construction. Zero Knowledge. Removing Interaction.

Fiat-Shamir: Initialization Bob gets from Carol N = pq but not its factorization. Alice picks m numbers R 1, R 2,..., R m in Z N at random. Alice computes S 1 = R1 2 (mod N),..., S m = Rm 2 (mod N). Alice gives S 1,..., S m to Bob. She keeps R 1,..., R m secret.

Fiat-Shamir: Set Up Bob holds S 1,..., S m. Alice keeps R 1,..., R m secret. Who is Alice? Anyone who can convince Bob she can produce square roots mod N of S 1,..., S m to Bob. She keeps R 1,..., R m. A stupid way to convince Bob: Send him R 1,..., R m. Instead, we seek a method that will give Bob (and Eve) nothing more than being convinced Alice can produce these square roots. (hint: zero knowledge).

Fiat-Shamir: Basic Protocol Let S 1 = R 2 1 (mod N) such that Alice holds R 1. To convince Bob that Alice knows a square root mod N of S 1, Alice picks at random X 1 Z N, computes Y 1 = X1 2 (mod N), and sends Y 1 to Bob. Alice to Bob: I know both a square root mod N of Y1 (which equals X 1 ) and a square root mod N of Y 1 S 1 (which equals X 1 R 1 ). Thus I know a square root mod N of S1 (which equals R 1 ). But I m not going to reveal it. Instead, you (Bob) should make a choice which of the two you want me to reveal. Bob flips a coin. The outcome (heads/tails) determines the challenge he poses to Alice.

Fiat-Shamir: Basic Protocol, cont. If Alice knows both a square root of Y 1 (e.g. X 1 ) and a square root mod N of Y 1 S 1 (e.g. X 1 R 1 ) then she knows R 1. Thus is she does not know a square root of S 1, she does not know at least one of the two square roots above. In such case, Bob will catch her cheating with probability at least 1/2. In the protocol, Alice will produce Y 1, Y 2,..., Y m. Bob will flip m coins b 1, b 2..., b m as challenges. Bob accept only if Alice succeeds in all m cases.

Basic Protocol Bob accepts iff all m challenges are met.

Improved (more efficient) Protocol Bob accepts iff two challenges are met.

Correctness of Protocol (Intuition Only) A cheating Eve, without knowledge of R i s, will be caught with very high probability. Zero Knowledge: By eavesdropping, Eve learns nothing (all she learns, she can simulate on her own). Crucial ingredients: 1. Interaction. 2. Randomness.

Fiat-Shamir: Final Improvement (more efficient) Protocol Bob accepts iff two challenges are met.

Fiat-Shamir: Final Improvement Removing lnteraction Let H be a cryptographically secure hash function. Bob accepts iff two challenges are met.

Correctness of Protocol (Intuition Only) A cheating Eve, without knowledge of R i s, cannot succeed in producing, with non-negligible probability Y 1, Y 2,..., Y m that will be hashed to a convenient bit vector b 1, b 2,..., b m. This is because m is long and H behaves like a random function (so the chances of hitting a bit vector favorable to Eve are negligible). Remark: Fiat-Shamir scheme (the improved version) is used in practice.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback