Lecture 7 - Applied Cryptography

Similar documents
Module: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

CS Computer and Network Security: Applied Cryptography

CS 161 Computer Security

Lecture 6 - Cryptography

Spring 2010: CS419 Computer Security

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

CSC574: Computer & Network Security

CS Computer Networks 1: Authentication

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Module: Cryptography. Professor Patrick McDaniel Fall CSE543 - Introduction to Computer and Network Security

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

CS 161 Computer Security

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Information Security CS 526

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

CSE543 Computer and Network Security Module: Network Security

CS 161 Computer Security

Test 2 Review. 1. (10 points) Timestamps and nonces are both used in security protocols to prevent replay attacks.

UNIT - IV Cryptographic Hash Function 31.1

Authentication and Key Distribution

CSE 127: Computer Security Cryptography. Kirill Levchenko

Cryptographic Checksums

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

1 Identification protocols

ECEN 5022 Cryptography

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

CIS 4360 Secure Computer Systems Applied Cryptography

Encryption 2. Tom Chothia Computer Security: Lecture 3

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

ECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

2.1 Basic Cryptography Concepts

CSC 774 Network Security

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

Fall 2010/Lecture 32 1

Kurose & Ross, Chapters (5 th ed.)

Securing Internet Communication: TLS

Introduction to Modern Cryptography. Benny Chor

CSCE 813 Internet Security Kerberos

CSC/ECE 774 Advanced Network Security

Test 2 Review. (b) Give one significant advantage of a nonce over a timestamp.

Cryptography Functions

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Session key establishment protocols

What did we talk about last time? Public key cryptography A little number theory

CS 425 / ECE 428 Distributed Systems Fall 2017

Lecture 1: Course Introduction

Crypto Background & Concepts SGX Software Attestation

Session key establishment protocols

Data Integrity. Modified by: Dr. Ramzi Saifan

Lecture 3 - Passwords and Authentication

Strong Password Protocols

CS408 Cryptography & Internet Security

Digital Signatures. KG November 3, Introduction 1. 2 Digital Signatures 2

More crypto and security

Other Topics in Cryptography. Truong Tuan Anh

Authentication Handshakes

ח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms

1. Diffie-Hellman Key Exchange

Applied Cryptography and Computer Security CSE 664 Spring 2017

HOST Authentication Overview ECE 525

Applied Cryptography Basic Protocols

CSC 474/574 Information Systems Security

EEC-682/782 Computer Networks I

Computational Security, Stream and Block Cipher Functions

Cryptographic Concepts

Cryptographic Protocols 1

Password. authentication through passwords

Diffie-Hellman. Part 1 Cryptography 136

KEY AGREEMENT PROTOCOLS. CIS 400/628 Spring 2005 Introduction to Cryptography. This is based on Chapter 13 of Trappe and Washington

CIS 4360 Secure Computer Systems Symmetric Cryptography

Chapter 9: Key Management

Solution of Exercise Sheet 10

Other Uses of Cryptography. Cryptography Goals. Basic Problem and Terminology. Other Uses of Cryptography. What Can Go Wrong? Why Do We Need a Key?

Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls

L7: Key Distributions. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

Ref:

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

18733: Applied Cryptography Anupam Datta (CMU) Basic key exchange. Dan Boneh

CPSC 467: Cryptography and Computer Security

Exercises with solutions, Set 3

Notes for Lecture 14

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to talk so much?!? Content taken from the following:

Authentication. Overview of Authentication systems. IT352 Network Security Najwa AlGhamdi

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Cryptographic hash functions and MACs

6. Security Handshake Pitfalls Contents

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

CS /29/17. Paul Krzyzanowski 1. Fall 2016: Question 2. Distributed Systems. Fall 2016: Question 2 (cont.) Fall 2016: Question 3

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

CSC 482/582: Computer Security. Security Protocols

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Introduction to Cryptography. Lecture 6

Cryptography III Want to make a billion dollars? Just factor this one number!

CSE Computer Security

Transcription:

CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Lecture 7 - Applied Cryptography CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07/

Applied Cryptography Applied Cryptographic is the art and science of using cryptographic primitives to achieve specific goals. The use of the the tools is called a construction e.g., encryption (achieves confidentiality) E(k,d) = c Much of network and systems security is based on the integration of constructions with the system. CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger 2

Some notation You will generally see protocols defined in terms of exchanges containing some notation like All players are identified by their first initial E.g., Alice=A, Bob=B d is some data pw A is the password for A k AB is a symmetric key known to A and B A +, A - is a public/private key pair for entity A E(k,d) is encryption of data d with key k h(d) is the hash of data d S(A -,d) is the signature (using A s private key) of data d + is used to refer to concatenation CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger 3

Providing Authenticity/Integrity CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger 4 Most of what we have talked about so far deals with achieving confidentiality using encryption. However, and often equally or more important property is authenticity authenticity is the property that we can associate a data with a specific entity from whence it came/belongs to Integrity is the property that the data has not been modified Note that integrity is a necessary but not sufficient condition for authenticity (why?)? Q: How do we use cryptography for these goals?

Hashed Message Authentication Authentication Code Codes HMAC Authenticates/integrity for data d in symmetric key system Uses some key k and hash algorithm h To simplify, hmac(k,d) = h(k d) Why does this provide authenticity? Cannot produce hmac(k,d) unless you know k and d If you could, then can break h Exercise for class: prove the previous statement Used in protocols to authenticate content CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger 5

Using HMACs Assume I am going to send you a random number r over a network, and that we share a key k I could send you E(k,r)... over the network. Q: Is there anything wrong with this approach? Hint: think of an active attacker. CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger 6

Using HMACs (cont.) An active attacker could replace the value E(k,r) with any random bits and I would not know it. The central point is that I cannot tell one decrypted random value from another Attacker can change the cipher, but not know the result (e.g., confidentiality is preserved) A fix: E(k, r), HMAC(k, r) Now, the adversary cannot generate a HMAC that will properly validate without knowing k Extra credit: how would you prevent a replay attack? CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger 7

Digital Signatures CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger 8 Models physical signatures in digital world Association between private key and document and indirectly identity and document. Asserts that document is authentic and non-reputable To sign a document Given document d, private key k - To simplify, Validation S(k,d) = E(k,h(d)) Given document d, signature S(d), public key k + To simplify, D(k +,S(d)) = h(d)

Using Signatures... CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger 9 Assume you want to certify/endorse some data d You want anyone to be able to validate the item after the fact, even when you are not around Just sign the document, leave it with your public key d,s(d),k + Of course, then you have the problem of securely identifying which key belongs to you. This is the purpose of a public key infrastructure, covered in future lectures. This is the approach taken in most electronic commerce systems e.g., signing receipts, transactions, etc....

Meet Alice and Bob. Alice and Bob are the canonical players in the cryptographic world. They represent the end points of some interaction Used to illustrate/define a security protocol Other players occasionally join Trent - trusted third party Mallory - malicious entity Eve - eavesdropper Ivan - an issuer (of some object) CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger 10

Using hash values as authenticators Consider the following scenario Alice is a teacher who has not decided if she will cancel the next lecture. When she does decide, she communicates to Bob the student through Mallory, her evil TA. She does not care if Bob shows up to a cancelled class Alice does not trust Mallory to deliver the message. She and Bob use the following protocol: 1. Alice invents a secret t 2. Alice gives Bob h(t), where h() is a crypto hash function 3. If she cancels class, she gives t to Mallory to give to Bob If does not cancel class, she does nothing If Bob receives the token t, he knows that Alice sent it CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger 11

Hash Authenticators Why is this protocol secure? t acts as an authenticated value (authenticator) because Mallory could not have produced t without inverting h() Note: Mallory can convince Bob that class is occurring when it is not by simply not delivering h(t) (but we assume Bob is smart enough to come to that conclusion when the room is empty) What is important here is that hash preimages are good as (single bit) authenticators. Note that it is important that Bob got the original value h(t) from Alice (i.e., was provably authentic) CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger 12

Hash chain Now, consider the case where Alice wants to do the same protocol, only for all 26 classes (the semester) Alice and Bob use the following protocol: 1.Alice invents a secret t 2.Alice gives Bob H 26 (t), where H 26 () is 26 repeated applications of H(). 3.If she cancels class on day d, she gives H (26-D) (t) to Mallory, e.g., If cancels on day 1, she gives Mallory H 25 (t) If cancels on day 2, she gives Mallory H 24 (t). If cancels on day 25, she gives Mallory H 1 (t) If cancels on day 26, she gives Mallory t 4.If does not cancel class, she does nothing If Bob receives the token t, he knows that Alice sent it CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger 13

Hash Chain (cont.) Why is this protocol secure? On day d, H (26-d) (t) acts as an authenticated value (athenticator) because Mallory could not produce t without inverting H() because for any H k (t) she has k>(26-d) That is, Mallory potentially has access to the hash values for all days prior to today, but that provides no information on today s value, because they are all post-images of today s value Note: Mallory can again convince Bob that class is occurring by not delivering H (26-d) (t) Important: chain of hash values are ordered authenticators Important that Bob got the original value H 26 (t) from Alice directly (was provably authentic) CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger 14

Key Distribution Key Distribution is the process where we assign and transfer keys to a participant Out of band (e.g., passwords, simple) During authentication (e.g., Kerberos) As part of communication (e.g., skip-encryption) Key Agreement is the process whereby two parties negotiate a key 2 or more participants E.g., Diffie, Hellman Typically, key distribution/agreement occurs in conjunction with or after authentication. However, many applications can pre-load keys CSE543 Computer (and Network) Security - Fall 2005 - Professor McDaniel

Simple Key Distribution CSE543 Computer (and Network) Security - Fall 2005 - Professor McDaniel (simplified view) Assume you have 4 participants Distribute 3 out of 4 total keys to each participant Any two participants can generate a unique key [k 1 k 2 k 3 ] D How: pick XOR of the keys that are not held by the other participants E.g., Assume A and C want to communicate k AC = k 2 XOR k 4 [k 2 k 3 k 4 ] A [k 1 k 3 k 4 ] B [k 1 k 2 k 4 ] C

Simple Key Distribution (cont.) CSE543 Computer (and Network) Security - Fall 2005 - Professor McDaniel Why does this work? B cannot eavesdrop because it does not know k 2 D cannot eavesdrop because it does not know k 4 General construction Create large set of keys {k 1,k 2, k n } Give precisely 1/2 of keys to each participant Make sure that no two sets of assigned keys are compliments Any two participants can communicate The more keys you have, the more likely it is that two participants can generate a key Q: Can you attack this system?

Simple Key Distribution (cont.) CSE543 Computer (and Network) Security - Fall 2005 - Professor McDaniel Collusion: two or more adversaries attempt to circumvent the security services In the case of simple key distribution, if several of the participants are evil and collude, then they have the full set of keys and the game is up E.g., [k 1 k 2 k 3 ] [k 1 k 3 k 4 ] D + = [k B 1 k 2 k 3 k 4 ] Topic area: simple key distribution is use in severely resource constrained environments (e.g., sensor networks) because of the low performance requirements However, storage is often a problem

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback