Lecture 1: Course Introduction

Similar documents
Data Integrity. Modified by: Dr. Ramzi Saifan

Cryptographic Checksums

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Cryptographic Hash Functions. Rocky K. C. Chang, February 5, 2015

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Network Security CHAPTER 31. Solutions to Review Questions and Exercises. Review Questions

Introduction to Cryptography. Lecture 6

UNIT - IV Cryptographic Hash Function 31.1

Message Authentication Codes and Cryptographic Hash Functions

Cryptographic Hash Functions

CS408 Cryptography & Internet Security

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

Security protocols and their verification. Mark Ryan University of Birmingham

ENEE 459-C Computer Security. Message authentication

Integrity of messages

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).

Hash Function. Guido Bertoni Luca Breveglieri. Fundations of Cryptography - hash function pp. 1 / 18

Generic collision attacks on hash-functions and HMAC

What did we talk about last time? Public key cryptography A little number theory

Lecture 1 Applied Cryptography (Part 1)

Authentication Handshakes

Unit III. Chapter 1: Message Authentication and Hash Functions. Overview:

Spring 2010: CS419 Computer Security

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

CSC 5930/9010 Modern Cryptography: Cryptographic Hashing

Security and Privacy in Computer Systems. Lecture 7 The Kerberos authentication system. Security policy, security models, trust Access control models

CSC 474/574 Information Systems Security

Message authentication

Course Administration

Overview. Cryptographic key infrastructure Certificates. May 13, 2004 ECS 235 Slide #1. Notation

CIS 6930/4930 Computer and Network Security. Topic 6.2 Authentication Protocols

BAN Logic. Logic of Authentication 1. BAN Logic. Source. The language of BAN. The language of BAN. Protocol 1 (Needham-Schroeder Shared-Key) [NS78]

H must be collision (2n/2 function calls), 2nd-preimage (2n function calls) and preimage resistant (2n function calls)

Security Requirements

CS Computer Networks 1: Authentication

User Authentication Protocols Week 7

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

S. Erfani, ECE Dept., University of Windsor Network Security

T Cryptography and Data Security

Chapter 9: Key Management

CSCE 715: Network Systems Security

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

Information Security CS 526

Appendix A: Introduction to cryptographic algorithms and protocols

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to talk so much?!? Content taken from the following:

Lecture 18 Message Integrity. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422

L7: Key Distributions. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

CSE 127: Computer Security Cryptography. Kirill Levchenko

Session key establishment protocols

Data Integrity & Authentication. Message Authentication Codes (MACs)

Session key establishment protocols

Public-key Cryptography: Theory and Practice

EEC-682/782 Computer Networks I

CSCE 813 Internet Security Kerberos

Winter 2011 Josh Benaloh Brian LaMacchia

Cryptographic Hash Functions

Elements of Security

Security Handshake Pitfalls

Test 2 Review. (b) Give one significant advantage of a nonce over a timestamp.

Message authentication. Why message authentication. Authentication primitives. and secure hashing. To prevent against:

CS 161 Computer Security

Cryptographic Hash Functions. William R. Speirs

Digital Signatures. Secure Digest Functions

Key distribution and certification

13/10/2013. Kerberos. Key distribution and certification. The Kerberos protocol was developed at MIT in the 1980.

CS 645 : Lecture 6 Hashes, HMAC, and Authentication. Rachel Greenstadt May 16, 2012

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to share so many secrets?!?

CIS 6930/4930 Computer and Network Security. Topic 7. Trusted Intermediaries

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

Cryptographic hash functions and MACs

CSC 482/582: Computer Security. Security Protocols

Message authentication codes

Computer Networks. Wenzhong Li. Nanjing University

Fall 2010/Lecture 32 1

Introduction. Trusted Intermediaries. CSC/ECE 574 Computer and Network Security. Outline. CSC/ECE 574 Computer and Network Security.

Symmetric Encryption 2: Integrity

Lecture 4: Cryptography III; Security. Course Administration

CS-E4320 Cryptography and Data Security Lecture 5: Hash Functions

Modelling and Analysing of Security Protocol: Lecture 1. Introductions to Modelling Protocols. Tom Chothia CWI

Security Handshake Pitfalls

Homework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING

Security Handshake Pitfalls

Message Authentication and Hash function

CS Protocol Design. Prof. Clarkson Spring 2017

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

P2_L8 - Hashes Page 1

Test 2 Review. 1. (10 points) Timestamps and nonces are both used in security protocols to prevent replay attacks.

CPSC 467b: Cryptography and Computer Security

User Authentication Protocols

Network Security. Chapter 7 Cryptographic Protocols

1 Identification protocols

CSC/ECE 774 Advanced Network Security

Crypto Background & Concepts SGX Software Attestation

1 Defining Message authentication

Transcription:

Lecture 1: Course Introduction Thomas Johansson T. Johansson (Lund University) 1 / 37

Chapter 9: Symmetric Key Distribution To understand the problems associated with managing and distributing secret keys. To learn about key distribution techniques based on symmetric key based protocols (To introduce the formal analysis of protocols.) T. Johansson (Lund University) 2 / 37

Key Management To be able to use symmetric encryption algorithms such as DES or Rijndael we need a way for the two communicating parties to share the secret key. key distribution, key selection, key lifetime, Static (or long-term) Keys: to be in use for a long time period. The compromise of a static key is usually considered to be a major problem. Ephemeral, or Session (or short-term) Keys: have a short life-time, maybe a few seconds or a day. The compromise of a session key should only result in the compromise of that session s secrecy and it should not affect the long-term security of the system. T. Johansson (Lund University) 3 / 37

Key Distribution Physical Distribution: Distribution Using Symmetric Key Protocols: Once some secret keys have been distributed between a number of users and a trusted central authority, we can use the trusted authority to help generate keys for any pair of users as the need arises. They are usually very efficient but have some drawbacks. They assume that both the trusted authority and the two users who wish to agree on a key are both on-line. Distribution Using Public Key Protocols: two parties, who have never met or who do not trust any one single authority, can produce a shared secret key, using a key exchange protocol. The most common application of public key techniques for encryption: we agree a key by public key techniques and then use a symmetric cipher to actually do the encryption. T. Johansson (Lund University) 4 / 37

Key Selection All keys should be equally likely and really need to be generated using a true random number generator, however such a good source of entropy is hard to find. A truly random key will be very strong, it is hard for a human to remember. Key size Decimal digits Printable characters 4 10 4 2 13 10 7 2 23 8 10 8 2 26 10 15 2 50 T. Johansson (Lund University) 5 / 37

Secret Key Distribution - Notation Parties/Principals: A,B, S: Two parties who wish to agree a secret are A and B, for Alice and Bob. We assume that they will use a trusted third party, or TTP, which we shall denote by S. d Secret Keys: K ab, K bs, K as. K ab denote a secret key known only to A and B. Nonces: N a, N b. Nonces are numbers used only once, they should be random. The quantity N a denote a nonce originally produced by the principal A. Timestamps: T a, T b, T s. The quantity T a is a timestamp produced by A. When timestamps are used we assume that the parties try to keep their clocks in synchronization. T. Johansson (Lund University) 6 / 37

Secret Key Distribution - notation The statement A B : M, A, B, {N a, M, A, B} Kas, means A sends to B the message to the right of the colon. The message consists of a nonce M, A the name of party A, B the name of party B, a message {N a, M, A, B} encrypted under the key K as which A shares with S. Hence, the recipient B is unable to read the encrypted part of this message. T. Johansson (Lund University) 7 / 37

Secret Key Distribution - assumptions A and B say, only share secret keys, K as and K bs with the trusted third party S. They want to agree/transport a session key K ab. for a communication between themselves. Attacker: intercept any message flow over the network. Stop a message, alter it or change its destination. Also distribute her own messages over the network. New session key should be fresh, i.e. it has not been used before and has been recently created. The freshness property will stop attacks whereby the adversary replays messages so as to use an old key again. T. Johansson (Lund University) 8 / 37

Wide-Mouth Frog Protocol S decrypts the last part of the message and checks that the timestamp is recent. This tells S he should forward the key to the party called B. S encrypts the key along with his timestamp and passes this encryption onto B. B decrypts the message received and checks the time stamp is recent. He can recover both K ab and the name A of the person who wants to send data to him using this key. T. Johansson (Lund University) 9 / 37

Wide-Mouth Frog Protocol - Drawbacks synchronized clocks, assumes that A chooses the session key K ab and then transports this key over to user B. user A could have generated this key years ago and stored it on his hard disk, in which time Eve broke in and took a copy of this key. T. Johansson (Lund University) 10 / 37

Needham-Schroeder Protocol 1. tells S that A wants a key to communicate with B. 2. S generates K ab and sends it to A. The nonce N a is included so that A knows this was sent after her first message. The session key is also encrypted under the key K bs for sending to B. 3. The session key is encrypted under K bs and sent to B. 4. B needs to check that this was not a replay. He encrypts a nonce back to A. 5. A encrypts a simple function of B s nonce back to B, to prove to B T. Johansson (Lund University) 11 / 37

Needham-Schroeder Protocol - problem B does not know that the key he shares with A is fresh, An adversary who finds an old session transcript can, after finding the old session key by some other means, use the old session transcript in the last three messages involving B. T. Johansson (Lund University) 12 / 37

Otway-Rees Protocol Since the protocol does not make use of K ab as an encryption key, neither party knows whether the key is known to each other. Does not offer key confirmation. T. Johansson (Lund University) 13 / 37

Kerberos authentication system based on symmetric encryption with keys shared with an authentication server. developed at MIT around 1987. The network consist of clients and a server. Clients may be users, programs or services. A central database of clients including a secret key for each client. Kerberos provide authentication of one entity to another and issue session keys to these entities. Kerberos run a ticket granting system to enable access control to services and resources. T. Johansson (Lund University) 14 / 37

Kerberos Kerberos: an authentication server and a ticket generation server TGS. Suppose A wishes to access a resource B. A logs onto the authentication server using a password. A is given a ticket from this server encrypted under her password. This ticket contains a session key K as. uses K as to obtain a ticket from the TGS S to access the resource B. The output is a key K ab, a timestamp T S and a lifetime L. T. Johansson (Lund University) 15 / 37

We have removed the problems associated with the Needham-Schroeder protocol by using timestamps, but this has created the requirement for synchronized clocks. T. Johansson (Lund University) 16 / 37

Formal Approaches to Protocol Checking To try and make the design of these protocols more scientific a number of formal approaches have been proposed. The most influential of these is the BAN logic. Read if you are interested. T. Johansson (Lund University) 17 / 37

Chapter 10: Hash Functions and Message Authentication Codes Guarantee integrity of information after the application of the function. A cryptographic hash function is keyless, a MAC has a key. A cryptographic hash function is usually used as a component of another scheme. T. Johansson (Lund University) 18 / 37

Hash Functions A cryptographic hash function h is a function which takes arbitrary length bit strings as input and produces a fixed length bit string as output, the hash value. A cryptographic hash function should be one-way: given any string y from the range of h, it should be computationally infeasible to find any value x in the domain of h such that h(x) = y. Given a hash function with outputs of n bits, we would like a function for which finding preimages requires O(2 n ) time. T. Johansson (Lund University) 19 / 37

Hash Functions - collision resistant In practice we need something more than the one-way property. A hash function is called collision resistant if it is infeasible to find two distinct values x and x such that h(x) = h(x ). Birthday paradox: To find a collision of a hash function f, we can keep computing f(x 1 ), f(x 2 ), f(x 3 ),... until we get a collision. Output size n bits, then we expect to find a collision after O(2 n/2 ) tries. T. Johansson (Lund University) 20 / 37

Hash Functions - Second Preimage Resistant Second preimage resistant: given x it should be hard to find an x x with h(x ) = h(x). a cryptographic hash function with n-bit outputs should require O(2 n ) operations before one can find a second preimage. T. Johansson (Lund University) 21 / 37

Hash Functions - requirements Preimage Resistant: It should be hard to find a message with a given hash value. Second Preimage Resistant: Given one message it should be hard to find another message with the same hash value. Collision Resistant: It should be hard to find two messages with the same hash value. T. Johansson (Lund University) 22 / 37

Lemma Assuming a function is preimage resistant for almost every element of the range of h is a weaker assumption than assuming it either collision resistant or second preimage resistant. Lemma Assuming a function is second preimage resistant is a weaker assumption than assuming it is collision resistant. T. Johansson (Lund University) 23 / 37

Designing Hash Functions Designing functions of infinite domain is hard, one builds a so called compression function, which maps bits strings of length s into bit strings of length n, for s > n, and then chains this in some way to produce a function on an infinite domain. The most famous chaining method, the Merkle-Damgård construction. T. Johansson (Lund University) 24 / 37

Merkle-Damgård construction f is a compression function from s bits to n bits, s > n, believed to be collision resistant. use f to construct h which takes arbitrary length inputs. 1. l = s n. Pad m with zeros so it is a multiple of l bits, write m = m 1 m 2 m t. Set H to some fixed value. 2. for i = 1 to t do H = f(h m i ) 3. Set h(m) = H. T. Johansson (Lund University) 25 / 37

Merkle-Damgård construction Length strengthening: input message is preprocessed by first padding with zero bits to obtain a message which has length a multiple of l bits. Then a final block of l bits is added which encodes the original length of the unpadded message in bits. The construction is limited to hashing messages with length less than 2 l bits. Theory: If f is collision resistant then so is h. T. Johansson (Lund University) 26 / 37

Constructions: The MD4 Family Most widely deployed: MD5, RIPEMD-160 and SHA-1. MD4: 3 rounds of 16 steps and an output bitlength of 128 bits. MD5: 4 rounds of 16 steps and an output bitlength of 128 bits. SHA-1: 4 rounds of 20 steps and an output bitlength of 160 bits. RIPEMD-160: 5 rounds of 16 steps and an output bitlength of 160 bits. SHA-256: 64 rounds of single steps and an output bitlength of 256 bits. SHA-384: identical to SHA-512 except the output is truncated to 384 bits. SHA-512: 80 rounds of single steps and an output bitlength of 512 bits. In recent years a number of weaknesses have been found in almost all of the early hash functions in the MD4 family, for example MD4, MD5 and SHA-1. T. Johansson (Lund University) 27 / 37

SHA-1 the internal state of the algorithm is a set of five 32-bit values (H1, H2, H3, H4, H5). define four round constants y 1, y 2, y 3, y 4. The length strengthening method used is to first append a one bit to the message, to signal its end and then to pad with zeros to a multiple of the block length = 512 bits. Finally the number of bits of the message is added as a seperate final block. T. Johansson (Lund University) 28 / 37

SHA-1 The data stream is loaded 16 words at a time into X j for 0 j < 16. The output is the concatenation of the final value of H1, H2, H3, H4, H5. T. Johansson (Lund University) 29 / 37

SHA-1 T. Johansson (Lund University) 30 / 37

SHA-1 Three bit-wise functions of three 32-bit variables: f(u, v, w) = (u v) (( u) w), g(u, v, w) = (u v) (u w) (v w), h(u, v, w) = u v w. T. Johansson (Lund University) 31 / 37

Hash Functions from Block Ciphers. Pad the message to be hashed and divide it into blocks x 0, x 1,..., xt, H0 = IV, and iterate H i = f(x i, H i 1 ). For example, a Davies-Meyer hash f(x i, H i 1 ) = E xi (H i 1 ) H i 1. T. Johansson (Lund University) 32 / 37

Message Authentication Codes A hash function cannot protect message integrity because it is keyless. One can use a keyed hash function, called a message authentication code, or MAC. Two parties, who share a secret key, wish to ensure that a message transmitted between them has not been tampered with. They produce a check-value, or MAC, which is sent with the data, code = MAC k (m) where MAC is the check function, k is the secret key, m is the message. T. Johansson (Lund University) 33 / 37

Message Authentication Codes If we wish our message to remain confidential then we should encrypt it before applying the MAC. The user transmits e k1 (m), MAC k2 (e k1 (m)). data encapsulation mechanism, or DEM for short. Note, that different keys are used for the encryption and the MAC. Security: It should be hard given some MACs on some messages to produce a MAC on a new message. T. Johansson (Lund University) 34 / 37

MACs from hash functions. First idea: concaternate the key with the message and then apply the hash function. For example MAC k (M) = h(k M). Problem (Merkle-Damgård construction.): Suppose one obtains the MAC c 1 on the t block message m 1 c 1 = MAC k (m 1 ) = h(k m 1 ). Then, without knowledge of k, compute the MAC c 2 on the t + 1 block message m 1 m 2 for any m 2 of one block in length, via c 2 = MAC k (m 1 m 2 ) = f(c1 m2). applies also to the length strengthened version. T. Johansson (Lund University) 35 / 37

HMAC Other unsuccessful attempts: MAC k (M) = h(m k). The standard and secure way: HMAC, occurring in a number of standards documents, works as follows: HM AC = h(k p1 h(k p2 M)), where p 1 and p 2 are strings used to pad out the input to the hash function to a full block. T. Johansson (Lund University) 36 / 37

Producing MACs from block ciphers. There are various types of MAC schemes based on block ciphers. Best known and most widely used by far are the CBC-MACs. various international standards dating back to the early 1980s. These early standards specify the use of DES in CBC mode to produce a MAC. T. Johansson (Lund University) 37 / 37

CBC MACs The data is padded to form a series of n-bit blocks. The blocks are encrypted using the block cipher in CBC Mode. Take the final block as the MAC, after an optional postprocessing stage and truncation. Diskussion on padding, postprocessing and security implications, see the book. T. Johansson (Lund University) 38 / 37

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback