Cryptographic Protocols 1

Similar documents
Diffie-Hellman. Part 1 Cryptography 136

CS 161 Computer Security

Chapter 9: Key Management

Datasäkerhetsmetoder föreläsning 7

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

Information Security CS 526

Authentication Handshakes

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

T Cryptography and Data Security

PROVING WHO YOU ARE TLS & THE PKI

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

CSC 474/574 Information Systems Security

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

What did we talk about last time? Public key cryptography A little number theory

Spring 2010: CS419 Computer Security

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

Fall 2010/Lecture 32 1

Real-time protocol. Chapter 16: Real-Time Communication Security

CS 6324: Information Security More Info on Key Establishment: RSA, DH & QKD

Security: Focus of Control. Authentication

Security Handshake Pitfalls

Security Handshake Pitfalls

CS 494/594 Computer and Network Security

Applied Cryptography Basic Protocols

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Security: Focus of Control

Cryptography Lecture 9 Key distribution and trust, Elliptic curve cryptography

Security Handshake Pitfalls

Session key establishment protocols

CIS 6930/4930 Computer and Network Security. Topic 6.2 Authentication Protocols

Session key establishment protocols

Network Security (NetSec)

ECE 646 Lecture 3. Key management

Authentication and Key Distribution

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

CSC 482/582: Computer Security. Security Protocols

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

18733: Applied Cryptography Anupam Datta (CMU) Basic key exchange. Dan Boneh

Key Establishment and Authentication Protocols EECE 412

CPSC 467b: Cryptography and Computer Security

CSCI 667: Concepts of Computer Security. Lecture 9. Prof. Adwait Nadkarni

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

Module: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

Cryptographic Checksums

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to share so many secrets?!?

Outline Key Management CS 239 Computer Security February 9, 2004

Authentication in Distributed Systems

Module: Authentication. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Module: Authentication. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Outline. Login w/ Shared Secret: Variant 1. Login With Shared Secret: Variant 2. Login Only Authentication (One Way) Mutual Authentication

Applied Cryptography and Computer Security CSE 664 Spring 2017

Lecture 15 Public Key Distribution (certification)

Network Security. Chapter 7 Cryptographic Protocols

CIS 4360 Secure Computer Systems Applied Cryptography

L7: Key Distributions. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

Computer Security 3e. Dieter Gollmann. Chapter 15: 1

22-security.txt Tue Nov 27 09:13: Notes on Security Protocols , Fall 2012 Carnegie Mellon University Randal E.

CIS 6930/4930 Computer and Network Security. Final exam review

Modern cryptography 2. CSCI 470: Web Science Keith Vertanen

Securing Internet Communication: TLS

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to talk so much?!? Content taken from the following:

Topics. Dramatis Personae Cathy, the Computer, trusted 3 rd party. Cryptographic Protocols

Public-Key Infrastructure NETS E2008

10/1/2015. Authentication. Outline. Authentication. Authentication Mechanisms. Authentication Mechanisms. Authentication Mechanisms

Ideal Security Protocol. Identify Friend or Foe (IFF) MIG in the Middle 4/2/2012

Elements of Security

Auth. Key Exchange. Dan Boneh

Crypto meets Web Security: Certificates and SSL/TLS

Computer Security. 10. Exam 2 Review. Paul Krzyzanowski. Rutgers University. Spring 2017

Security Handshake Pitfalls

Lecture 13. Public Key Distribution (certification) PK-based Needham-Schroeder TTP. 3. [N a, A] PKb 6. [N a, N b ] PKa. 7.

Chapter 10 : Private-Key Management and the Public-Key Revolution

Lecture 30. Cryptography. Symmetric Key Cryptography. Key Exchange. Advanced Encryption Standard (AES) DES. Security April 11, 2005

Security. Alessandro Margara Slides based on previous work by Matteo Migliavacca and Alessandro Sivieri

Key Management and Distribution

Key management. Required Reading. Stallings, Cryptography and Network Security: Principles and Practice, 5/E or 6/E

Distributed Systems Principles and Paradigms. Chapter 09: Security

Introduction to Cryptography. Ramki Thurimella

1. Diffie-Hellman Key Exchange

Course Administration

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena

Key Management and Distribution

CS3235 Seventh set of lecture slides

CT30A8800 Secured communications

Authenticating People and Machines over Insecure Networks

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

CS Computer Networks 1: Authentication

Chapter 10: Key Management

ECE 646 Lecture 3. Key management. Required Reading. Using the same key for multiple messages

Cryptography and Network Security

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

Lecture 15 PKI & Authenticated Key Exchange. COSC-260 Codes and Ciphers Adam O Neill Adapted from

Network Security Chapter 8

Transcription:

Cryptographic Protocols 1 Luke Anderson luke@lukeanderson.com.au 5 th May 2017 University Of Sydney

Overview 1. Crypto-Bulletin 2. Problem with Diffie-Hellman 2.1 Session Hijacking 2.2 Encrypted Key Exchange (EKE) 2.3 Definitions 3. Needham-Schroeder Protocol 4. Public Key Management 4.1 Certificate Authorities 4.2 Trust Models

Crypto-Bulletin

Crypto-Bulletin Massive Google Docs phishing attack hits Gmail users https://www.itnews.com.au/news/ massive-google-docs-phishing-attack-hits-gmail-users-460436 Watch out IT admins: you re a hacker s new target https: //www.itnews.com.au/news/watch-out-it-admins-youre-a-hackers-new-target-459590 Blind Trust in Email Could Cost You Your Home https: //krebsonsecurity.com/2017/04/blind-trust-in-email-could-cost-you-your-home/

Problem with Diffie- Hellman

Man-in-the-Middle Suppose Alice and Bob are performing Diffie Hellman key exchange, but a third party (Eve) actually owns the channel, and can intercept traffic. Alice Eve Bob Hi, I m Alice Hi, I m Alice g x mod p g b mod p g a mod p g x mod p Shared secret for Alice/Eve is g ax mod p. Shared secret for Eve/Bob is g bx mod p. Eve owns the channel and neither Alice nor Bob know!

Man-in-the-Middle Example: Alice Eve Bob Alice, e A Bob, e B Bob, e Y Alice, e X e Y ( Nuke Eve! ) e B ( Disarm Missiles. ) Eve owns the channel!

Session Hijacking Hello, I m Alice Alice Nonce: r sign A (r) Bob Eve Eve owns the channel!

EKE Encrypted Key Exchange Hello, I m Alice Alice E K (g b mod p) E K (g a mod p) Bob The shared secret is g ab mod p. A (possibly low entropy) shared key k is used to form the high entropy shared secret. Prevents eavesdropping, and active attacks on DH. Maintains forward secrecy. What is the obvious problem?

EKE Encrypted Key Exchange Hello, I m Alice Alice E K (g b mod p) E K (g a mod p) Bob The shared secret is g ab mod p. A (possibly low entropy) shared key k is used to form the high entropy shared secret. Prevents eavesdropping, and active attacks on DH. Maintains forward secrecy. What is the obvious problem? Public key crypto would be great, but we need a way of obtaining Bob s public key without contacting him...

Definitions A protocol is said to have perfect forward secrecy if disclosure of long-term keys does not compromise past (short term) sessions. Ephemeral keys (such as are generated during Diffie Hellman) give this automatically. Encrypting everything directly with an RSA public key does not have forward secrecy. A protocol is vulnerable to a known-key attack if disclosure of past session keys allows an attacker to compromise future session keys (including actively impersonating).

Needham-Schroeder Protocol

Needham Schroeder Protocol The Needham Schroeder protocol facilitates key exchange using a trusted third party (TPP). Alice and Bob want to set up a session key for communication. All parties share a key with Trent, the TPP. 1. Alice sends Trent a request to talk to Bob: (A, B, r A ), where r A is a nonce. 2. Trent sends Alice a session key, and a ticket to give to Bob: E kat (r A, B, k AB, E kbt (k AB, A)). 3. Alice sends Bob the ticket: (E kbt (k AB, A), E kab (s A )). 4. Bob challenges Alice: E kab (s A 1, r B ), where r B is a nonce. 5. Alice responds to Bob s challenge: E kab (r B 1).

Needham Schroeder Protocol The Needham Schroeder protocol facilitates key exchange using a trusted third party (TPP). Alice and Bob want to set up a session key for communication. All parties share a key with Trent, the TPP. 1. Alice sends Trent a request to talk to Bob: (A, B, r A ), where r A is a nonce. 2. Trent sends Alice a session key, and a ticket to give to Bob: E kat (r A, B, k AB, E kbt (k AB, A)). 3. Alice sends Bob the ticket: (E kbt (k AB, A), E kab (s A )). 4. Bob challenges Alice: E kab (s A 1, r B ), where r B is a nonce. 5. Alice responds to Bob s challenge: E kab (r B 1). What if Eve gets a hold of k AT somehow?

Needham Schroeder Protocol Problem: Bob has no guarantee that k AB is fresh. Old session keys are valuable, as they do not expire. 1. Suppose Eve manages to get k AT. 2. She can now read all of Alice s messages and impersonate her to everyone else. 3. Alice needs to revoke her key, but the only person that can make this have an effect is Trent. 4. Key revocation is a major problem. Needham-Schroeder s problem is that it assumes all users of the system are good guys, and the goal is to keep the bad guys from getting in the eggshell model.

Kerberos Kerberos is a protocol which builds on the Needham Schroeder protocol, and allows nodes within an insecure network to prove identity to each other. Extra reading: Designing an Authentication System: a Dialogue in Four Scenes.

Public Key Management

Public Key Management using Certification Authorities A public key certificate binds a public key to its owner: 1. Alice sends her public key to the CA (Trent). 2. The CA produces a certificate for Alice. 3. Alice sends her public key and certificate to Bob. 4. Bob verifies the certificate using Alice s public key. 5. Bob sends encrypted messages to Alice using the key. Certificate = sign CA [X.500: name, org, address, pubkey, expires,...] Everyone must be able to verify the CA s public key, so it is shipped with OS s, browsers, etc. The CA is a trusted party: it has the ability to issue signatures to whomever.

Public Key Certificate Generation 1. Alice generates a public/private keypair. 2. Alice sends the public key to the CA. 3. The CA challenges Alice to see if she knows the private key. 4. The CA generates a certificate and sends it to Alice. Important Note: 1. The CA never learns Alice s private key. 2. Important for forward secrecy. 3. A compromise of the CA can still lead to people pretending to be Alice.

Certificate Revocation Alice s certificate may need to be revoked. Her private key is stolen or otherwise compromised. She changes jobs (or trustworthiness). This is a major problem with the CA system. May require daily certification-validation information (slow, cumbersome). Use expiration date field. Use of a certificate revocation list (CRL) which is circulated (like bad credit cards.)

Trust Models Symmetric Keys TTP must be online (used every session). Alice TTP is a juicy target (knows passwords). No forward Secrecy. Carol KDC Bob Asymmetric Keys TTP is offline (only used in generation). TTP only knows public keys. TTP has forward secrecy. Carol CA Not as fast (e..g SSL/TLS, PGP,...) Bob Alice

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback