Module: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

Similar documents
CS Computer and Network Security: Applied Cryptography

Lecture 6 - Cryptography

Lecture 7 - Applied Cryptography

Public Key Algorithms

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

What did we talk about last time? Public key cryptography A little number theory

Lecture 2 Applied Cryptography (Part 2)

Chapter 9. Public Key Cryptography, RSA And Key Management

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

Overview. Public Key Algorithms I

Public Key Algorithms

Spring 2010: CS419 Computer Security

Kurose & Ross, Chapters (5 th ed.)

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

CSC 474/574 Information Systems Security

Encryption. INST 346, Section 0201 April 3, 2018

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

ISA 662 Internet Security Protocols. Outline. Prime Numbers (I) Beauty of Mathematics. Division (II) Division (I)

Number Theory and RSA Public-Key Encryption

Grenzen der Kryptographie

CIS 4360 Secure Computer Systems Applied Cryptography

CS 161 Computer Security

ח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms

Public Key Algorithms

Chapter 9 Public Key Cryptography. WANG YANG

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

CS 332 Computer Networks Security

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Key Exchange. References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings

Session key establishment protocols

Session key establishment protocols

Diffie-Hellman. Part 1 Cryptography 136

Public Key Cryptography

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

1. Diffie-Hellman Key Exchange

Modern cryptography 2. CSCI 470: Web Science Keith Vertanen

Lecture 30. Cryptography. Symmetric Key Cryptography. Key Exchange. Advanced Encryption Standard (AES) DES. Security April 11, 2005

Public-Key Cryptography

Cryptographic Protocols 1

Lecture 19: cryptographic algorithms

Fall 2010/Lecture 32 1

Data Security and Privacy. Topic 14: Authentication and Key Establishment

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Key Establishment and Authentication Protocols EECE 412

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

Key Exchange. Secure Software Systems

CS 161 Computer Security

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to talk so much?!? Content taken from the following:

Other Uses of Cryptography. Cryptography Goals. Basic Problem and Terminology. Other Uses of Cryptography. What Can Go Wrong? Why Do We Need a Key?

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Chapter 3 Public Key Cryptography

Chapter 7 Public Key Cryptography and Digital Signatures

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Key Management and Distribution

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Cryptography and Network Security

Cryptography Symmetric Cryptography Asymmetric Cryptography Internet Communication. Telling Secrets. Secret Writing Through the Ages.

Network Security. Chapter 4 Public Key Cryptography. Public Key Cryptography (4) Public Key Cryptography

18733: Applied Cryptography Anupam Datta (CMU) Basic key exchange. Dan Boneh

Ideal Security Protocol. Identify Friend or Foe (IFF) MIG in the Middle 4/2/2012

CS 6324: Information Security More Info on Key Establishment: RSA, DH & QKD

Security: Cryptography

CSC 8560 Computer Networks: Network Security

CSC 5930/9010 Modern Cryptography: Public Key Cryptography

CS 161 Computer Security

Cryptographic Systems

14. Internet Security (J. Kurose)

Algorithms (III) Yijia Chen Shanghai Jiaotong University

UNIT - IV Cryptographic Hash Function 31.1

Public-key encipherment concept

Public Key (asymmetric) Cryptography

Information Security CS 526

Chapter 10 : Private-Key Management and the Public-Key Revolution

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

PROTECTING CONVERSATIONS

Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena

Cryptographic Checksums

Lecture 15: Cryptographic algorithms

Computer Networks & Security 2016/2017

Algorithms (III) Yijia Chen Shanghai Jiaotong University

Algorithms (III) Yu Yu. Shanghai Jiaotong University

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to share so many secrets?!?

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

KEY AGREEMENT PROTOCOLS. CIS 400/628 Spring 2005 Introduction to Cryptography. This is based on Chapter 13 of Trappe and Washington

Introduction to Cryptography and Security Mechanisms. Abdul Hameed

Topics. Number Theory Review. Public Key Cryptography

Cryptography III. Public-Key Cryptography Digital Signatures. 2/1/18 Cryptography III

Introduction to Cryptography Lecture 7

Network Security. Chapter 8. MYcsvtu Notes.

Public-key Cryptography: Theory and Practice

This chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest

Ref:

CRYPTOGRAPHY AND NETWROK SECURITY-QUESTION BANK

CSC/ECE 774 Advanced Network Security

Crypto CS 485/ECE 440/CS 585 Fall 2017

Cryptography and Network Security Chapter 10. Fourth Edition by William Stallings

Chapter 3. Principles of Public-Key Cryptosystems

David Wetherall, with some slides from Radia Perlman s security lectures.

Transcription:

CMPSC443 - Introduction to Computer and Network Security Module: Cryptographic Protocols Professor Patrick McDaniel Spring 2009 1

Key Distribution/Agreement Key Distribution is the process where we assign and transfer keys to a participant Out of band (e.g., passwords, simple) During authentication (e.g., Kerberos) As part of communication (e.g., skip-encryption) Key Agreement is the process whereby two parties negotiate a key 2 or more participants Typically, key distribution/agreement this occurs in conjunction with or after authentication. However, many applications can pre-load keys 2

Diffie-Hellman Key Agreement The DH paper really started the modern age of cryptography, and indirectly the security community Negotiate a secret over an insecure media E.g., in the clear (seems impossible) Idea: participants exchange intractable puzzles that can be solved easily with additional information. Mathematics are very deep Working in multiplicative group G Use the hardness of computing discrete logarithms in finite field to make secure 3

Diffie-Hellman Protocol For two participants p 1 and p 2 Setup: We pick a prime number p and a base g (<p) This information is public E.g., p=13, g=4 Step 1: Each principal picks a private value x (<p-1) Step 2: Each principal generates and communicates a new value y = g x mod p Step 3: Each principal generates the secret shared key z z = y x mod p Perform a neighbor exchange. 4

Attacks on Diffie-Hellman This is key agreement, not authentication. You really don t know anything about who you have exchanged keys with The man in the middle A B Alice and Bob think they are talking directly to each other, but Mallory is actually performing two separate exchanges You need to have an authenticated DH exchange The parties sign the exchanges (more or less) See Schneier for a intuitive description 5

Public Key Cryptography Public Key cryptography Each key pair consists of a public and private component: k + (public key), k - (private key) D(E(p, k + ),k )=p D(E(p, k ),k + )=p Public keys are distributed (typically) through public key certificates Anyone can communicate secretly with you if they have your certificate E.g., SSL-base web commerce 6

RSA (Rivest, Shamir, Adelman) A dominant public key algorithm The algorithm itself is conceptually simple Why it is secure is very deep (number theory) Use properties of exponentiation modulo a product of large primes "A method for obtaining Digital Signatures and Public Key Cryptosystems, Communications of the ACM, Feb., 1978 21(2) pages 120-126. 7

RSA Key Generation Pick two large primes p and q Calculate n = pq Pick e such that it is relatively prime to phi(n) = (q-1)(p-1) Euler s Totient Function d ~= e -1 mod phi(n) de mod phi(n) = 1 or Try p=3, q=11, and e = 7 Note: another way of looking at d ~= e -1 mod phi(n) is ed-1 is exactly divisible by phi(n). 8

RSA Key Generation Pick two large primes p and q Calculate n = pq Pick e such that it is relatively prime to phi(n) = (q-1)(p-1) Euler s Totient Function d ~= e -1 mod phi(n) de mod phi(n) = 1 or 1. p=3, q=11 2.n = 3*11 = 33 3.phi(n) = (2*10) = 20 4.e = 7 GCD(20,7) = 1 5. Euclid s Algorithm d = 7-1 mod 20 d = d7 mod 20 = 1 d = 3 Note: another way of looking at this is ed-1 is exactly divisible by phi(n). 9

RSA Encryption/Decryption Public key k + is {e,n} and private key k - is {d,n} Encryption and Decryption E(k+,P) : ciphertext = plaintext e mod n D(k-,C) : plaintext = ciphertext d mod n Example Public key (7,33), Private Key (3,33) Data 4 (encoding of actual data) E({7,33},4) = 4 7 mod 33 = 16384 mod 33 = 16 D({3,33},16) = 16 3 mod 33 = 4096 mod 33 = 4 10

Encryption using private key Encryption and Decryption E(k -,P) : ciphertext = plaintext d mod n D(k +,C) : plaintext = ciphertext e mod n E.g., E({3,45},4) = 4 3 mod 33 = 64 mod 33 = 31 D({7,45},19) = 31 7 mod 33 = 27,512,614,111 mod 33 = 4 Q: Why encrypt with private key? 11

Digital Signatures Models physical signatures in digital world Association between private key and document and indirectly identity and document. Asserts that document is authentic and non-reputable To sign a document Given document d, private key k- Signature S(d) = E( k -, h(d) ) Validation Given document d, signature S(d), public key k+ Validate D(k +, S(d)) = H(d) 12

Secret vs. public key crypto. Secret key cryptography Symmetric keys, where A single key (k) is used is used for E and D D( E( p, k ), k ) = p All (intended) receivers have access to key Note: Management of keys determines who has access to encrypted data E.g., password encrypted email Also known as symmetric key cryptography Public key cryptography Each key pair consists of a public and private component: k+ (public key), k- (private key) D( E(p, k+), k- ) = p D( E(p, k-), k+ ) = p Public keys are distributed (typically) through public key certificates Anyone can communicate secretly with you if they have your certificate E.g., SSL-based web commerce 13

Meet Alice and Bob. Alice and Bob are the canonical players in the cryptographic world. They represent the end points of some interaction Used to illustrate/define a security protocol Other players occasionally join Trent - trusted third party Mallory - malicious entity Eve - eavesdropper Ivan - an issuer (of some object) 14

Some notation You will generally see protocols defined in terms of exchanges containing some notation like All players are identified by their first initial E.g., Alice=A, Bob=B d is some data pw A is the password for A k AB is a symmetric key known to A and B KA +,KA - is a public/private key pair for entity A E(k,d) is encryption of data d with key k H(d) is the hash of data d Sig(KA -,d) is the signature (using A s private key) of data d + is used to refer to concatenation 15

Some interesting things you want to do when communicating. Ensure the authenticity of a user Ensure the integrity of the data Also called data authenticity Keep data confidential Guarantee non-repudation 16

Basic (User) Authentication Bob wants to authenticate Alice s identity (is who she says she is) [pw A ] Alice 1 2 Bob [Y/N] 17

Hash User Authentication Bob wants to authenticate Alice s identity (is who she says she is) [h(pw A )] Alice 1 2 Bob [Y/N] 18

Challenge/Response User Authentication Bob wants to authenticate Alice s identity (is who she says she is) [c] Alice 2 [h(c+pw A )] 1 Bob 3 [Y/N] 19

User Authentication vs. Data Integrity User authentication proves a property about the communicating parties E.g., I know a password Data integrity ensures that the data transmitted... Can be verified to be from an authenticated user Can be verified to determine whether it has been modified Now, lets talk about the latter, data integrity 20

Simple Data Integrity? Alice wants to ensure any modification of the data in flight is detectable by Bob (integrity) Alice 1 [d,h(d)] Bob 21

HMAC Integrity Alice wants to ensure any modification of the data in flight is detectable by Bob (integrity) Alice 1 [d,hmac(k,d)] Bob 22

Signature Integrity Alice wants to ensure any modification of the data in flight is detectable by Bob (integrity) Alice 1 [d, Sig(KA -, d)] Bob 23

Data Integrity vs. Non-repudiation If the integrity of the data is preserved, is it provably from that source? Hash integrity says what about non-repudiation? Signature integrity says what about non-repudiation? 24

Confidentiality Alice wants to ensure that the data is not exposed to anyone except the intended recipient (confidentiality) Alice 1 [E(k AB,d), hmac(kab, d)] Bob 25

Question If I already have an authenticated channel (e.g., the remote party s public key), why don t I simply make up a key and send it to them? 26

Confidentiality Alice wants to ensure that the data is not exposed to anyone except the intended recipient (confidentiality) But, Alice and Bob have never met!!!! [E(k x,d), hmac(kx, d),e(kb +,k x )] 1 Alice Bob Alice randomly selects key k x to encrypt with 27

Real Systems Security The reality of the security is that 90% of the frequently used protocols use some variant of these constructs. So, get to know them they are your friends We will see them (and a few more) over the semester They also apply to systems construction Protocols need not necessarily be online Think about how you would use these constructs to secure files on a disk drive (integrity, authenticity, confidentiality) We will add some other tools, but these are the basics 28

Cryptanalysis and Protocol Analysis Cryptographic Algorithms Complex mathematical concepts May be flawed What approaches are used to prove correct/find flaws? Cryptographic Protocols Complex composition of algorithms and messages May be flawed What approaches are used to prove correct/find flaws? 29

A Protocol Story Needham-Schroeder Public Key Protocol Defined in 1978 Assumed Correct Many years without a flaw being discovered Proven Correct BAN Logic So, It s Correct, Right? 30

Needham-Schroeder Public Key Nonce Message a.1: A --> B : A,B, {NA, A}PKB A initiates protocol with fresh value for B Message a.2: B --> A : B,A, {NA, NB}PKA B demonstrates knowledge of NA and challenges A Message a.3: A --> B : A,B, {NB}PKB A demonstrates knowledge of NB Note: A and B are the only ones who can read NA and NB, and use this fact to prove they know private keys without exposing them 31

Gavin Lowe Attack An active intruder X participates... Message a.1: Message b.1: A --> X : A,X, {NA, A}PKX X(A) --> B : A,B, {NA, A}PKB X as A initiates protocol with fresh value for B Message b.2: B --> X(A) : B,A, {NA, NB}PKA Message a.2: X --> A : X,A, {NA, NB}PKA X asks A to demonstrates knowledge of NB Message a.3: A --> X : A,X, {NB}PKX A tells X NB; thanks A! Message b.3: X(A) --> B : A,B, {NB}PKB X completes the protocol as A 32

What Happened? X can get A to act as an oracle for nonces Hey A, what s the NB in this message from any B? A assumes that any message encrypted for it is legit Bad idea X can enable multiple protocol executions to be interleaved Should be part of the threat model? 33

Dolev-Yao Result Strong attacker model Attacker intercepts every message Attacker can cause one of a set of operators to be applied at any time Operators for modifying, generating any kind of message Attacker can apply any operator except other s decryption Decision problem: is protocol X secure under DY? Polynomial Time for One Session Undecidable for Multiple Sessions Moral: Analysis is Difficult Because Attacker Can Exploit Interactions of Multiple Sessions 34

In class assignment Create groups of 3-4 people. You are to create three protocols: 1. A establishes a secret key (kg) between all members of the group (assume everyone in the class can hear the messages), make sure nobody can forge the key. 2. to send a message d1 from B that has confidentiality, authenticity, and integrity (within the group) 3. to send a message d2 that has confidentiality, authenticity, and integrity (within the group), and can uniquely identifies the sender (C) Assume you only start with the public keys of the other members of the group (A, B, C, D) k + A,k+ B,k+ C,k+ D 35

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback