T Cryptography and Data Security

Similar documents
T Cryptography and Data Security

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Chapter 9: Key Management

Session key establishment protocols

Session key establishment protocols

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Cryptographic Protocols 1

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Analysis, demands, and properties of pseudorandom number generators

Key Establishment. Chester Rebeiro IIT Madras. Stinson : Chapter 10

Spring 2010: CS419 Computer Security

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Cryptography and Network Security Chapter 7. Fourth Edition by William Stallings

ECE 646 Lecture 3. Key management

Overview. Cryptographic key infrastructure Certificates. May 13, 2004 ECS 235 Slide #1. Notation

Station-to-Station Protocol

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Key Management and Distribution

CSC/ECE 774 Advanced Network Security

Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena

UNIT - IV Cryptographic Hash Function 31.1

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Chapter 10: Key Management

CSC 774 Network Security

Key management. Required Reading. Stallings, Cryptography and Network Security: Principles and Practice, 5/E or 6/E

Cryptographic Checksums

CS Computer Networks 1: Authentication

1. Diffie-Hellman Key Exchange

Cryptography and Network Security Chapter 10. Fourth Edition by William Stallings

This chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

Network Security. Random Number Generation. Chapter 6. Network Security (WS 2003): 06 Random Number Generation 1 Dr.-Ing G.

Network Security CHAPTER 31. Solutions to Review Questions and Exercises. Review Questions

Cryptography and Network Security Chapter 14

Cryptography and Network Security Chapter 7

Computer Security: Principles and Practice

ECE 646 Lecture 3. Key management. Required Reading. Using the same key for multiple messages

Topics. Dramatis Personae Cathy, the Computer, trusted 3 rd party. Cryptographic Protocols

CIS 4360 Secure Computer Systems Applied Cryptography

What did we talk about last time? Public key cryptography A little number theory

CSC 482/582: Computer Security. Security Protocols

Datasäkerhetsmetoder föreläsning 7

Cryptography and Network Security

Information Security CS 526

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Key Management and Distribution

Lecture 2 Applied Cryptography (Part 2)

Analysis of Cryptography and Pseudorandom Numbers

L7: Key Distributions. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

Lecture 1: Course Introduction

Computer Networks. Wenzhong Li. Nanjing University

Cryptography V: Digital Signatures

Authentication in Distributed Systems

Acknowledgments. CSE565: Computer Security Lectures 16 & 17 Authentication & Applications

Applied Cryptography and Computer Security CSE 664 Spring 2017

ECE 646 Lecture 3. Key management. Required Reading. Using Session Keys & Key Encryption Keys. Using the same key for multiple messages

Cryptography and Network Security Chapter 13. Digital Signatures & Authentication Protocols

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

Key Agreement Schemes

Key management. Pretty Good Privacy

Cryptography V: Digital Signatures

Contents Digital Signatures Digital Signature Properties Direct Digital Signatures

CIS 6930/4930 Computer and Network Security. Final exam review

L13. Reviews. Rocky K. C. Chang, April 10, 2015

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to talk so much?!? Content taken from the following:

Fall 2010/Lecture 32 1

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

A Secured Key Generation Scheme Using Enhanced Entropy

CS 6324: Information Security More Info on Key Establishment: RSA, DH & QKD

Encryption. INST 346, Section 0201 April 3, 2018

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to share so many secrets?!?

Key Management and Distribution

CT30A8800 Secured communications

Key Agreement. Guilin Wang. School of Computer Science, University of Birmingham

Sankalchand Patel College of Engineering, Visnagar Department of Computer Engineering & Information Technology. Question Bank

Applied Cryptography and Computer Security CSE 664 Spring 2018

The most important development from the work on public-key cryptography is the digital signature. Message authentication protects two parties who

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

Identification Schemes

Diffie-Hellman. Part 1 Cryptography 136

Blum-Blum-Shub cryptosystem and generator. Blum-Blum-Shub cryptosystem and generator

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

Basic principles of pseudo-random number generators

Authenticated Key Agreement without Subgroup Element Verification

Cryptography and Network Security Chapter 13. Fourth Edition by William Stallings. Lecture slides by Lawrie Brown

CS 161 Computer Security

Chapter 9. Public Key Cryptography, RSA And Key Management

CS Protocol Design. Prof. Clarkson Spring 2017

Message authentication

Cryptography Lecture 9 Key distribution and trust, Elliptic curve cryptography

APPENDIX D RANDOM AND PSEUDORANDOM NUMBER GENERATION

Chapter 10 : Private-Key Management and the Public-Key Revolution

Lecture 1 Applied Cryptography (Part 1)

INF3510 Information Security University of Oslo Spring Lecture 3 Key Management and PKI. Audun Jøsang

Cryptology Part 1. Terminology. Basic Approaches to Cryptography. Basic Approaches to Cryptography: (1) Transposition (continued)

Ideal Security Protocol. Identify Friend or Foe (IFF) MIG in the Middle 4/2/2012

Public Key Algorithms

CSC 5930/9010 Modern Cryptography: Public Key Cryptography

Transcription:

T-79.4501 Cryptography and Data Security Lecture 10: 10.1 Random number generation 10.2 Key management - Distribution of symmetric keys - Management of public keys Stallings: Ch 7.4; 7.3; 10.1 1

The Use of Random Numbers Random numbers are an essential ingredient in most (if not all) cryptographic protocols: there is no security without apparent randomness and unpredictability; things must look random to an external observer. Cryptographic keys symmetric keys (private) keys for asymmetric cryptosystems Cryptographic nonces (= numbers used once) to guarantee freshness random numbers with some additional properties 2

Random and pseudorandom numbers Random numbers are characterized using the following statistical properties: Uniformity: Random numbers are uniformly distributed Independence: generated random numbers cannot be derived from other generated random numbers Generated using physical devices, e.g, quantum random number generator Pseudorandom numbers are non-random numbers that cannot be distinguished from random numbers: Statistical distribution of a sample of certain (large) size cannot be distinguished from the uniform distribution Independent-looking: pseudorandom numbers should be unpredictable: given a sequence of previously generated pseudorandom numbers nothing cannot be said about the future terms of the sequence Generated using deterministic algorithms from a short truly random or pseudorandom seed. 3

Linear Congruential Generator (Lehmer 1951) m the modulus, m > 0 a the multiplier, 0 < a < m c the increment, 0 c < m x 0 the starting value, or seed The sequence of pseudorandom numbers is computed as x n+1 = (ax n + c) mod m, n = 0,1,2,. Example: m = 32; a = 7; c = 0, x 0 = 7; then x 0 = 7, x 1 = 17, x 2 = 23, x 3 = 1, x 4 = 7, The period of the sequence is 4. This is due to the fact that the order of 7 modulo 32 is equal to 4. The period should be large. This can be achieved by suitable choice of the numbers: IBM360 family of computers used LCG with a = 16807 = 7 5 ; m = 2 31-1; c = 0. 4

Weaknesses of LCG Given the parameters a, c and m, and just one term of the generated sequence, one can compute any term after and before this term. Assume a, c and m are unknown. Then given just four known terms x 0, x 1, x 2, x 3 of the generated sequence, one gets a system of equations: x 1 = (ax 0 + c) mod m x 2 = (ax 1 + c) mod m x 3 = (ax 2 + c) mod m from where one has good chances to solve for a, c and m. Linear Feedback Shift Registers (LFSR) are very similar to LCG: good statistical properties, but no cryptographic security in itself. Given an output sequence of length that is 2 times the length of the LFSR, one can solve for the feedback coefficients. Therefore, LFSRs are used only as a part of a construction for a cryptographically secure key stream or pseudorandom number generator. 5

Cryptographic PRNGs The security requirements for a cryptographically secure pseudorandom number generator are similar than those for a keystream generator. In practice, the difference lies in the fact that keystream generators are used for encryption and must be fast, and consequently, security is traded off to achieve the required speed. Pseudorandom number generators are used generate short strings, cryptographic keys and nonces, and therefore security is more important than speed. Some standard PRNGs: Counter mode keystream generator is a cryptographically strong PRNG ANSI X9.17 PRNG based on Triple DES with two keys in encryptiondecryption-encryption mode. FIPS 186-2 specifies a random number generator based on SHA-1 for generation of the private keys and per-message nonces. Blum-Blum-Shub generator is provably secure under the assumption that factoring is hard. 6

Counter Mode PRNG Also known as Cyclic Encryption (Meyers 1982). It consists of a counter with period N and an encryption algorithm with a secret key. IV Initial value of the counter C K Key of the block cipher encryption function E K i-th pseudorandom number output X i C 0 = IV; C i = C i-1 +1; X i = E K (C i ), i = 1,2, The period is N. If the length of the counter is less than the block size of E K then all generated numbers within one period are different. C i E K X i 7

ANSI X9.17 PRNG DT i V i E K X i 64-bit time variant parameter, date and time seed variable 3-DES encryption with two 56-bit keys K 1 and K 2, K = (K 1,K 2 ) i-th pseudorandom number output DT i E K V i V i+1 E K X i = E K (V i E K (DT i )), V i+1 = E K (X i E K (DT i )), i = 1,2, E K X i 8

FIPS 186-2 PRNG for generation of permessage random numbers k j for DSA m number of messages to be signed q the 160-bit prime in the definition of DSA KKEY 0 initial 512-bit seed KKEY j 512-bit seed variable t the fixed initial value (a cyclic shift of the initial value CV 0 of SHA-1, see Lecture 5) G(t,c) operation of SHA-1 on one 512-bit message block M (without length appending) M = formed by appending seros to the end of c k j j-th per-message pseudorandom number k j = G(t,KKEY j ) mod q KKEY j+1 = (1 + KKEY j + k j,) mod 2 512, j = 0,1,,m-1 KKEY i-1 add 1 mod 2 b KKEY j G k j 9

Blum-Blum-Shub Cryptographically provably secure PRNG Very slow, output 1 pseudorandom bit per one modular squaring modulo a large integer p, q two different large primes; p = q = 3 (mod 4) n modulus, n = pq s secret seed; set x 0 = s 2 mod n x i B i i-th intermediate number i-th output bit For i = 1,2, x i = (x i -1 ) 2 mod n B i = x i mod 2 10

Model for network security Trusted third party Sender Receiver Secret information Secret information Message Secure Message Secure Message Message Security related transformation Opponent Security related transformation 11

Distribution of symmetric keys Distribution of shared symmetric keys for A and B; using one of the following options: 1. Physically secured A selects or generates a key and delivers it to B using some physically secure means A third party C selects a key and delivers it to A and B using some physically secure means 2. Key distribution using symmetric techniques If A and B have a shared secret key, A can generate a new key and send it to B encrypted using the old key If C is already using a shared secret key K 1 with A and a second key K 2 with B, then C can generate a key and send it encrypted to A and B. 3. Key management using asymmetric techniques If Party A has a public key of B, then A can generate a key and send it to B encrypted using a public key If party C has the public key of A and the public key of B, it can generate a key and send it to A and B encrypted using their public keys. 12

Key Hierarchy 1. Master Keys long term secret keys used for authentication and session key set up Distributed using physical security or public key infrastructure 2. Session Keys short term secret keys used for protection of the session data distributed under protection of master keys 3. Separated session keys short term secrets to achieve cryptographic separation: Different cryptographic algorithms should use different keys. Weaknesses in one algorithm should not endanger protection achieved by other algorithms. derived from the main session key 13

Example: Kerberos k A k B S 2. k A (k, B, times, N A, ), tkt B = k B (k, A, times, ) Prior enrollment with server Timestamps to ensure freshness Key transport Key confirmation 1. A, B, N A k A k A k 3. k(a, T A, ), tkt B = k B (k, A, times, ) 4. k(t A, ) B k k k B 14

Needham-Schroeder protocol (1978) An earlier version of the Kerberos protocol (without time-stamps) B had no guarantee of the freshness of the ticket tkt B. If Malice knows some previous key used by A and B it can force B to use the key again by replaying the corresponding ticket. Depicted on the next slide 15

Initiator (A) A Key Management Scenario* (1) Request N 1 Key distribution center (KDC) (2) E Ka (Ks Request N 1 E Kb (Ks,IDa)) (3) E Kb (Ks IDa) (4) E Ks (N 2 IDb)** (5) E Ks (N 2 +1 IDa)** *Stallings, Section 7.3; also known as the Needham- Schroeder protocol Ka Symmetric key shared by KDC and A Kb Symmetric key shared by KDC and B Ks N 1, N 2 IDa IDb Session key Nonces Identity of A Identity of B Responder (B) ** slightly modified from Stallings protocol 16

Authenticated Diffie-Hellman Key Exchange Recall: Diffie-Hellman Key Exchange provides confidentiality against passive wiretapper. Active man-in-the-middle attack can be prevented using authentication, e.g. as follows: g a IDa Initiator A g b MAC K (g a,g b,ida) MAC K (g a,g b,idb) Responder B K a IDa IDb Authentication key shared by A and B private exponent of A Identity of A Identity of B 17

Station-to-Station (STS) Protocol: Authenticated Diffie-Hellman Provides perfect forward secrecy (PFS): compromise of long term private keys does not compromise past session keys PFS requires the use of public key cryptography Alice Bob IDb g x g y, Cert B, E K (sig B (g y, g x )) Cert A, E K (sig A (g x, g y )) 18

Desirable AKE Attributes Law, Menezes, Qu, Solinas, Vanstone (1998) known-key security. Each run of a key agreement protocol between two identities A and B should produce a unique secret key; such keys are session keys. A protocol should still achieve its goal in the face of an adversary who has learned some other session keys. (perfect) forward secrecy. If long-term private keys of one or more entities are compromised, the secrecy of previous session keys established by honest entities is not affected. key-compromise impersonation. Suppose A s long-term private key is disclosed. Clearly an adversary that knows this value can now impersonate A, since it is precisely this value that identifies A. However, it may be desirable that this loss does not enable an adversary to impersonate other entities to A. unknown key-share. Entity A cannot be coerced into sharing a key with entity B without A s knowledge, i.e., when A believes the key is shared with some entity C B, and B (correctly) believes that the key is shared with A. key control. Neither entity should be able to force the session key to a preselected value. key confirmation. Both entities get an explicit proof that the other entity has 19 established the same key.

Distribution of Public Keys Public announcement Just appending one s public key, or the fingerprint (hash) of the public key in one s signed email message is not secure PGP public key fingerprints need to be truly authenticated based on face-to-face or voice contact Publicly available directory An authorized directory, similar to phone directory that is published in print Public-key Authority Public keys obtained from an online service. Communication needs to be secured. Public-key Certificates Public keys bound to user s identities using a certificate signed by a Certification Authority (CA) 20

X509 Public Key Certificates Mandatory fields The version number of the X.509 standard The certificate serial number The CA s Signing Algorithm Identifier The name of the issuing CA The validity period (not before date, not after date) The subject s name, i.e. whose public key is being signed The subject s public key value, including the algorithm and associated domain parameters The issuer s signature on the public key and all other data that is to be bound to the subject s public key such as the subject s name, the validity period and other terms of usage of the subject s public key. 21

CA and Registration Authority Certification Authority E.g. in Finland: Population Register Center The certificate is stored in the subject s Electronic Identity Card Registration Authority Identifies the user based on user s true identity and establishes a binding between the public key and the subject s identity Management of private keys Private keys generated by the user Private key generated by a trusted authority Private key generated inside a smart card from where it is never taken out. The public key is taken out. Certificate Revocation List Black list for lost or stolen private keys CRL must be available online for certificates with long validity period 22

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback