CS 161 Computer Security

Similar documents
CS 161 Computer Security

CS 161 Computer Security

CS 161 Computer Security

CS 161 Computer Security

CSC 474/574 Information Systems Security

Cryptographic Protocols 1

Public Key Algorithms

CPSC 467: Cryptography and Computer Security

CS 161 Computer Security

Chapter 9 Public Key Cryptography. WANG YANG

1. Diffie-Hellman Key Exchange

Spring 2010: CS419 Computer Security

Cryptography III Want to make a billion dollars? Just factor this one number!

Key Establishment and Authentication Protocols EECE 412

Key Exchange. Secure Software Systems

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

n-bit Output Feedback

Key Exchange. References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings

CS 6324: Information Security More Info on Key Establishment: RSA, DH & QKD

CS Computer Networks 1: Authentication

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

L13. Reviews. Rocky K. C. Chang, April 10, 2015

ECEN 5022 Cryptography

Lecture 2 Applied Cryptography (Part 2)

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Overview. Public Key Algorithms I

CS 161 Computer Security

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

Module: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

CS 161 Computer Security

1 Identification protocols

Cryptography III. Public-Key Cryptography Digital Signatures. 2/1/18 Cryptography III

Diffie-Hellman. Part 1 Cryptography 136

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

Lecture 7 - Applied Cryptography

CSC/ECE 774 Advanced Network Security

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

What did we talk about last time? Public key cryptography A little number theory

Session key establishment protocols

Session key establishment protocols

Chapter 8 Security. Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

Uzzah and the Ark of the Covenant

Encryption. INST 346, Section 0201 April 3, 2018

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Activity Guide - Public Key Cryptography

2.1 Basic Cryptography Concepts

Digital Signatures. KG November 3, Introduction 1. 2 Digital Signatures 2

Public Key Algorithms

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

NETWORK SECURITY & CRYPTOGRAPHY

Ideal Security Protocol. Identify Friend or Foe (IFF) MIG in the Middle 4/2/2012

Kurose & Ross, Chapters (5 th ed.)

Introduction to Cryptography Lecture 7

Applied Cryptography and Computer Security CSE 664 Spring 2018

Homework 1 CS161 Computer Security, Spring 2008 Assigned 2/4/08 Due 2/13/08

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Modern cryptography 2. CSCI 470: Web Science Keith Vertanen

Cryptographic Systems

Real-time protocol. Chapter 16: Real-Time Communication Security

Public Key Algorithms

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Other Topics in Cryptography. Truong Tuan Anh

CSE 127: Computer Security Cryptography. Kirill Levchenko

Strong Password Protocols

Introduction to Cryptography Lecture 7

ISA 662 Internet Security Protocols. Outline. Prime Numbers (I) Beauty of Mathematics. Division (II) Division (I)

KEY AGREEMENT PROTOCOLS. CIS 400/628 Spring 2005 Introduction to Cryptography. This is based on Chapter 13 of Trappe and Washington

Network Security (NetSec)

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

CIS 4360 Secure Computer Systems Applied Cryptography

CSC 5930/9010 Modern Cryptography: Public Key Cryptography

Chapter 9. Public Key Cryptography, RSA And Key Management

ח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms

Introduction to Information Security Miscellaneous

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Chapter 9: Key Management

Applied Cryptography and Computer Security CSE 664 Spring 2017

Ref:

Other Uses of Cryptography. Cryptography Goals. Basic Problem and Terminology. Other Uses of Cryptography. What Can Go Wrong? Why Do We Need a Key?

Encryption 2. Tom Chothia Computer Security: Lecture 3

This chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest

SECURITY IN NETWORKS

Password. authentication through passwords

UNIT - IV Cryptographic Hash Function 31.1

CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong, Spring and 6 February 2018

Notes for Lecture 14

Lecture 20 Public key Crypto. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller and Bailey s ECE 422

Key Management. CS 161: Computer Security Prof. Vern Paxson

The Diffie-Hellman/Karn Encryption App

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell


Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Public Key Cryptography and the RSA Cryptosystem

18733: Applied Cryptography Anupam Datta (CMU) Basic key exchange. Dan Boneh

CS 494/594 Computer and Network Security

CSC 774 Network Security

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Applied Cryptography Protocol Building Blocks

CRYPTOGRAPHY & DIGITAL SIGNATURE

Transcription:

Popa & Wagner Spring 2016 CS 161 Computer Security Discussion 5 Week of February 19, 2017 Question 1 Diffie Hellman key exchange (15 min) Recall that in a Diffie-Hellman key exchange, there are values a, b, g and p. Alice computes g a mod p and Bob computes g b mod p. (a) Which of these values are publicly known and which must be kept private? g and p are publicly known. Implementations of Diffie-Hellman often have carefully picked values of g and p which are known to everyone. Alice and Bob must keep a and b secret respectively. (b) Eve can eavesdrop on everything sent between Alice and Bob, but can t change anything. Alice and Bob run Diffie-Hellman and have agreed on a shared symmetric key K. However, Bob accidentally sent his b to Alice in plain text. If Eve viewed all traffic since the beginning of the exchange, can she figure out what K is? Yes, this will be very easy for Eve: she can use the value A = g a mod p which Alice sent to calculate K = A b mod p. (c) Mallory can not only view all Alice Bob communications but also intercept and modify it. Alice and Bob perform Diffie-Hellman to agree on a shared symmetric key K. After the exchange, Bob gets the feeling something went wrong and calls Alice. He compares his value of K to Alice s and realizes that they are different. Explain what Mallory has done and what she can now do. Mallory is performing a man-in-the-middle attack. Mallory pretends to be Bob when she talks to Alice, and Mallory also pretends to be Alice when she talks to Bob. In this way, both Alice and Bob are unknowingly talking to Mallory. Mallory can then decrypt/re-encrypt the traffic in both directions and modify it however she wishes to. More technically, when Alice sends A = g a mod p to Bob, Mallory intercepts Page 1 of 5

this (preventing it from going to Bob), and sends back to Alice: M = g c mod p. Now when Alice sends a message to Bob, she uses K bad = M a mod p which Mallory knows as K bad = A c mod p. Mallory can then decrypt all messages sent from Alice. She can also send messages to Alice which Alice thinks are from Bob. Mallory then does the same trick to Bob. Question 2 Perfect Forward Secrecy (15 min) Alice (A) and Bob (B) want to communicate using some shared symmetric key encryption scheme. Consider the following key exchange protocols which can be used by A and B to agree upon a shared key, K ab. El Gamal-Based Key Exchange Protocol Message 1 A B: {K ab } K pub B Key exchanged Message 2 A B: {secret1} Kab Message 3 A B: {secret2} Kab Diffe-Hellman Key Exchange Message 1 A B: g a mod p Message 2 A B: g b mod p Key exchanged K ab = g ab mod p Message 3 A B: {secret1} Kab Message 4 A B: {secret2} Kab Some additional details: K pub B is Bob s long-lived public key. All messages are destroyed immediately after reading them. K ab and DH exponents a and b are destroyed once all messages are sent. Eavesdropper Eve records all communications between Alice and Bob, but is unable to decrypt them. At some point in the future, Eve is lucky and manages to compromise Bob s computer. (a) Is the confidentiality of Alice and Bob s prior El Gamal-based communication in jeopardy? Yes. The compromise of Bob s computer gives Eve access to Bob s private key, allowing Eve to decrypt the traffic she previously recorded that was encrypted using Bob s public key. Once decrypted, she obtains K ab, and can then apply it to decrypt the traffic encrypted using symmetric key encryption. (b) What about Alice and Bob s Diffe-Hellman-based communication? Discussion 5 Page 2 of 5 CS 161 Sp 16

No. Since Alice and Bob destroy the DH exponents a and b after use, and since the key computed from them itself is never transmitted, there is no information present on Bob s computer that Eve can leverage to recover K ab. This means that with Diffie-Hellman key exchanges, later compromises in no way harm the confidentiality of previous communication, even if the ciphertext for that communication was recorded in full. This property is called Perfect Forward Secrecy. Discussion 5 Page 3 of 5 CS 161 Sp 16

Question 3 Why do RSA signatures need a hash? (20 min) This question explores the design of standard RSA signatures in more depth. To generate RSA signatures, Alice first creates a standard RSA key pair: (n, e) is the RSA public key and d is the RSA private key, where n is the RSA modulus. For standard RSA signatures, we typically set e to a small prime value such as 3; for this problem, let e = 3. To generate a standard RSA signature S on a message M, Alice computes S = H(M) d mod n. If Bob wants to verify whether S is a valid signature on message M, he simply checks whether S 3 = H(M) mod n holds. d is a private key known only to Alice and (n, 3) is a publicly known verification key that anyone can use to check if a message was signed using Alice s private signing key. Suppose RSA signatures skipped using a hash function and just used M directly, so the signature S on a message M is S = M d mod n. In other words, if Alice wants to send a signed message to Bob, she will send (M, S) to Bob, where S = M d mod n is computed using her private signing key d. (a) With this simplified RSA scheme, how can Bob verify whether S is a valid signature on message M? In other words, what equation should he check, to confirm whether M, S was validly signed by Alice? S 3 = M mod n. (b) Mallory learns that Alice and Bob are using the simplified (hash-less) signature scheme described above and decides to trick Bob. Mallory wants to send some (M, S) to Bob that Bob will think is from Alice, even though Mallory doesn t know the private key. Explain how Mallory can find M, S such that S will be a valid signature on M. You should assume that Mallory knows Alice s public key n, but not Alice s private key d. She can choose both M and S freely. The message M does not have to be chosen in advance and can be gibberish. Mallory should choose some random value to be S and then compute S 3 mod n to find the corresponding M value. This M, S pair will satisfy the equation in part (a). Alternative solution: Choose M = 1 and S = 1. equation. This will satisfy the (c) Is the attack in parts (b) possible against the real RSA signature scheme (the one that includes the cryptographic hash function)? Why or why not? Discussion 5 Page 4 of 5 CS 161 Sp 16

These attacks are not possible. A hash function is one way, so the attack in part (b) won t work: we can pick a random S and cube it, but then we d need to find some message M such that H(M) is equal to this value, and that s not possible since H is one-way. The attack in part (c) won t work, since given H(M), we d need to find a message M such that H(M ) = 64 H(M), which is also infeasible (since H is one-way). Comment: This is why the real RSA signature scheme includes a hash function: exactly to prevent the attacks you ve seen in this question. Discussion 5 Page 5 of 5 CS 161 Sp 16

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback