Course Administration

Similar documents
CS 392/6813: Computer Security Fall Nitesh Saxena. *Adopted from Previous Lectures by Nasir Memon

Lecture 4: Cryptography III; Security. Course Administration

Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Key Management and Distribution

Data Integrity. Modified by: Dr. Ramzi Saifan

Acknowledgments. CSE565: Computer Security Lectures 16 & 17 Authentication & Applications

Information Security CS 526

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

UNIT - IV Cryptographic Hash Function 31.1

Cryptographic Checksums

CS Computer Networks 1: Authentication

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Fall 2010/Lecture 32 1

Lecture 1: Course Introduction

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Lecture 13. Public Key Distribution (certification) PK-based Needham-Schroeder TTP. 3. [N a, A] PKb 6. [N a, N b ] PKa. 7.

CS408 Cryptography & Internet Security

Cryptography and Network Security

Security and Privacy in Computer Systems. Lecture 7 The Kerberos authentication system. Security policy, security models, trust Access control models

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Lecture 15 Public Key Distribution (certification)

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Background. Network Security - Certificates, Keys and Signatures - Digital Signatures. Digital Signatures. Dr. John Keeney 3BA33

Introduction to Cryptography. Lecture 6

L7: Key Distributions. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

Chapter 9: Key Management

T Cryptography and Data Security

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Lecture 1 Applied Cryptography (Part 1)

Unit III. Chapter 1: Message Authentication and Hash Functions. Overview:

Kurose & Ross, Chapters (5 th ed.)

User Authentication. Modified By: Dr. Ramzi Saifan

User Authentication Principles and Methods

CSC 482/582: Computer Security. Security Protocols

KEY DISTRIBUTION AND USER AUTHENTICATION

Cryptology Part 1. Terminology. Basic Approaches to Cryptography. Basic Approaches to Cryptography: (1) Transposition (continued)

Lecture 30. Cryptography. Symmetric Key Cryptography. Key Exchange. Advanced Encryption Standard (AES) DES. Security April 11, 2005

Lecture 4: Hashes and Message Digests,

Cryptography and Network Security

CIS 6930/4930 Computer and Network Security. Topic 7. Trusted Intermediaries

Cryptographic Protocols 1

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to share so many secrets?!?

Network Security CHAPTER 31. Solutions to Review Questions and Exercises. Review Questions

Kerberos and Public-Key Infrastructure. Key Points. Trust model. Goal of Kerberos

Module: Authentication. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

Module: Authentication. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

P2_L8 - Hashes Page 1

Data Integrity & Authentication. Message Authentication Codes (MACs)

CSE 565 Computer Security Fall 2018

ECE 646 Lecture 3. Key management

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

Public-Key Infrastructure NETS E2008

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

CS November 2018

Authentication in Distributed Systems

Digital Certificates Demystified

Integrity of messages

Digital Signatures. Public-Key Signatures. Arbitrated Signatures. Digital Signatures With Encryption. Terminology. Message Authentication Code (MAC)

Lecture 4: Authentication and Hashing

Trusted Intermediaries

AIT 682: Network and Systems Security

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

Lecture 18 Message Integrity. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422

Cryptographic Hash Functions

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to talk so much?!? Content taken from the following:

Key management. Pretty Good Privacy

Security: Focus of Control

CSCE 715: Network Systems Security

ח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms

CSC 5930/9010 Modern Cryptography: Public-Key Infrastructure

CSCI 667: Concepts of Computer Security. Lecture 9. Prof. Adwait Nadkarni

CPSC 467b: Cryptography and Computer Security

Introduction. Trusted Intermediaries. CSC/ECE 574 Computer and Network Security. Outline. CSC/ECE 574 Computer and Network Security.

Public-key Cryptography: Theory and Practice

Security: Focus of Control. Authentication

Radius, LDAP, Radius, Kerberos used in Authenticating Users

Message authentication codes

Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Unit 8 Review. Secure your network! CS144, Stanford University

Diffie-Hellman. Part 1 Cryptography 136

Topics. Dramatis Personae Cathy, the Computer, trusted 3 rd party. Cryptographic Protocols

Message authentication

Verteilte Systeme (Distributed Systems)

Introduction to Cryptography. Ramki Thurimella

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

Introduction and Overview. Why CSCI 454/554?

CS530 Authentication

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).

Data Integrity & Authentication. Message Authentication Codes (MACs)

CSE 127: Computer Security Cryptography. Kirill Levchenko

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

Key management. Required Reading. Stallings, Cryptography and Network Security: Principles and Practice, 5/E or 6/E

CSCE 813 Internet Security Kerberos

X.509. CPSC 457/557 10/17/13 Jeffrey Zhu

Transcription:

Lecture 6: Hash Functions, Message Authentication and Key Distribution CS 392/6813: Computer Security Fall 2010 Nitesh Saxena *Adopted from Previous Lectures by Nasir Memon Course Administration HW3 was posted due Oct 22 HW2 is being graded Delay due to MyPoly debacle HW2 solution will be provided soon Mid-Term on 10/28 Closed-books/closed-notes In-class Would cover lecture material until 10/21 Final Exam on Dec 16 2

Outline of Today s lecture Hash Functions Properties Known Hash Function SHA-1 Message Authentication using hash fns: HMAC Private Key Distribution Public Key Distribution: PKI Certification Revocation 3 Cryptographic Hash Functions Requirements of cryptographic hash functions: Can be applied to data of any length. Output is fixed length Relatively easy to compute h(x), given x and deterministic Infeasible to get x, given h(x). One-wayness property Given x, infeasible to find y such that h(x) = h(y). Weak-collision resistance property. Infeasible to find any pair x and y such that h(x) = h(y). Strong-collision resistance property. 4

Hash Output Length How long should be the output (n bits) of a cryptographic hash function? To find collision - randomly select messages and check if hash matches any that we know. Throwing k balls in N = 2 n bins. How large should k be, before probability of landing two balls in the same becomes greater than ½? Birthday paradox - a collision can be found in roughly sqrt(n) = 2 (n/2) trials for an n bit hash In a group of 23 )(~ sqrt(365)) people, at least two of them will have the same birthday (with a probability > ½) Hence n should be at least 160 5 Birthday Paradox Probability that hash values of k random messages are distinct is (that is, no collisions) is: k 1 1 2 k 1 i = 1 1 K 1 = 1 N N N n i= 1 k 1 in x x / ( e ) x e x e x x x 2 3 (as for small, 1,as = 1 + L) i= 1 2! 3! kk ( 1)/2N = e So for at least one collision we have probability of whose va lue is above 0.5 when k= 1.17 N kk ( 1)/2N ( ) 1 e 6

Generic Hash Function 7 8

9 10

11 12

13 14

15 16

Other Hash Functions Many other hash functions SHA-2 (SHA-256) MD5 Message Digest algorithm 5 Very similar to SHA study on your own MD4 MD6.. 17 Current Security of MD5 and SHA-1 SHA-1 B day attack requires 2 80 calls Faster attacks 2 69 calls http://www.infosec.sdu.edu.cn/paper/sha1-crypto-auth-new- 2-yao.pdf MD5 Output is 128-bits, so B day attack requires 2 64 calls only Faster attacks to find a collision: http://eprint.iacr.org/2004/199.pdf Better use stronger versions, such as SHA-256 Although, these attacks are still not practical they only find two random messages that collide 18

Message Authentication Codes Integrity as well as authentication (m, MAC) We want MAC to be as small and as secure as possible Security based on the length of the key and also how the MAC is computed A MAC can be constructed based on any good symmetric cipher though this can be computationally expensive. 19 Recall MAC Using DES in CBC mode Time = 1 D 1 (64 bits) Time = 2 D 2 Time = N - 1 D N-1 Time = N D N + + + K (56 bits) DES Encrypt K DES Encrypt K DES Encrypt K DES Encrypt O 1 (64 bits) O 2 O N-1 O N DAC (16 to 64 bits) 20

Security notion for MAC Very similar to the security notion for a digital signature scheme Existential forgery under (adaptively) chosen message attack 21 HMAC: MAC using Hash Functions Developed as part of IPSEC - RFC 2104. Also used in SSL etc. Key based hash but almost as fast as non-key based hash functions. Avoids export restrictions unlike DES based MAC. Provable security Can be used with different hash functions like SHA-1,MD5, etc. 22

K + K + HMAC S i ipad opad IV b bits Y 0 IV b bits n bits n bits S o b bits b bits Y 1 Y L-1 Hash Hash n bits n bits H(S i M) pad to b bits HMAC K (M) Block size b bits. K + - K padded with bits on the left to make b bits. ipad 0110110 (ox36) repeated b/8 times. opad 1011100 (0x5c) repeated b/8 times. Essentially HMAC K = H[(K + xor opad) H[(K + xor ipad) M]] 23 Security of HMAC Security related to the collision resistance of the underlying hash function http://www.cse.ucsd.edu/~mihir/papers/hma c.html 24

HMAC An Efficient Implementation Precomputed Computed per message K + ipad b bits S i b bits b bits b bits Y 0 Y 1 Y L-1 IV f n bits Hash K + opad n bits H(S i M) pad to b bits S o b bits IV f n bits f n bits HMACK(M) 25 Key Distribution Cryptographic primitives seen so far assume In private key setting: Alice and Bob share a secret key which is unknown to Oscar. In public key setting: Alice has a trusted (or authenticated) copy of Bob s public key. But how does this happen in the first place? Alice and Bob meet and exchange key(s) Not always practical or possible. We need key distribution, first and foremost! Idea: mane use of a trusted third party (TTP) 26

Private Key Distribution: attempt 1 Protocol assumes that Alice and Bob share a session key K A and K B with a Key Distribution Center (KDC). Alice calls Trent (Trusted KDC) and requests a session key to communicate with Bob. Trent generates random session key K and sends E KA (K) to Alice and E KB (K) to Bob. Alice and Bob decrypt with K A and K B respectively to get K. This is a key distribution protocol. Susceptible to replay attack! 27 Session Key Exchange with KDC Needham-Schroeder Protocol A -> KDC ID A ID B N 1 (Hello, I am Alice, I want to talk to Bob, I need a session Key and here is a random nonce identifying this request) KDC -> A E KA ( K ID B N 1 E KB (K ID A )) Encrypted(Here is a key, for you to talk to Bob as per your request N 1 and also an envelope to Bob containing the same key) A -> B E KB (K ID A ) (I would like to talk using key in envelope sent by KDC) B -> A E K (N 2 ) (OK Alice, But can you prove to me that you are indeed Alice and know the key?) A -> B E K (f(n 2 )) (Sure I can!) Dennig-Sacco (replay) attack on the protocol 28

Session Key Exchange with KDC Needham-Schroeder Protocol (corrected version with mutual authentication) A -> KDC: ID A ID B N 1 (Hello, I am Alice, I want to talk to Bob, I need a session Key and here is a random nonce identifying this request) KDC -> A: E KA ( K ID B N 1 E KB (TS1, K ID A )) Encrypted(Here is a key, for you to talk to Bob as per your request N 1 and also an envelope to Bob containing the same key) A -> B: E K (TS2), E KB (TS1, K ID A ) (I would like to talk using key in envelope sent by KDC; here is an authenticator) B -> A: E K (TS2+1) (OK Alice, here is a proof that I am really Bob) 29 Kerberos - Goals Security Next slide. Reliability Transparency Minimum modification to existing network applications. Scalability Modular distributed architecture. 30

Kerberos Security Goals No cleartext passwords over network. No cleartext passwords stored on servers. Minimum exposure of client and server keys. Compromise of a session should only affect that session. Require password only at login. 31 Kerberos - Assumptions Global clock. There is a way to distribute authorization data. Kerberos provides authentication and not authorization. 32

Kerberos Key Distribution (1) Step 1 Joe to KDC Joe I would like to Talk to the File Server KDC Step 2 KDC Session key for User KDC Session key for service 33 Kerberos Key Distribution (2) Step 3 KDC Box 1 Session Key for Joe Box 2 Session Key for File server Dear Joe, This key for File server Locked With Joe s key Dear File server, This key for Use with Joe Locked With File Server s key Step 4 KDC to Joe Joe Box 1 Box 2 KDC 34

Step 5 Joe Kerberos Distribution (3) Opened Box 1 Dear Joe, This key for File server Box 2 Session Key for File server Dear File server, This key for Use with Joe Locked With File Server s key Step 6 Joe Box 3 Dear File server, The time is 3:40 pm Locked With Session key Box 2 Session Key for File server Dear File server, This key for Use with Joe Locked With File Server s key 35 Kerberos Distribution (4) Step 7 Joe to File server Joe Box 2 Box 3 File Server Unlocked Box 3 Unlocked Box 2 Step 8 File server Dear File server, The time is 3:40 pm Dear File server, This key for Use with Joe 36

Kerberos Key Distribution (5) For mutual authentication, file server can create box 4 with time stamp and encrypt with session key and send to Joe. Box 2 is called ticket. KDC issues ticket only after authenticating password To avoid entering passwords every time access needed, KDC split into two authenticating server and ticket granting server. 37 Kerberos One Slide Overview 2. AS verifies user's access right in database, creates ticket-granting ticket and session key. Results are encrypted using key derived from user's password. once per user logon session 1. User logs on to workstation and requests service on host. request ticketgranting ticket ticket + session key request servicegranting ticket ticket + session key Kerberos Authentication Server (AS) Ticketgranting Server (TGS) 3. Workstation prompts user for password and uses password to decrypt incoming message, then sends ticket and authenticator that contains user's name, network address, and time to TGS. 5. Workstation sends ticket and authenticator to server. once per service session provide server authenticator once per type of service request service 4. TGS decrypts ticket and authenticator, verifies request, then creates ticket for requested server. 6. Server verifies that ticket and authenticator match, then grants access to service. If mutual authentication is required, server returns an authenticator. 38

Version 4 summary 39 Kerberos - Limitations Every network service must be individually modified for use with Kerberos. Requires a global clock Requires secure Kerberos server. Requires continuously available or online server. 40

Public Key Distribution Public announcements (such as email) Can be forged Public directory Can be tampered with Public-key certification authority (CA) (such as verisign) This is what we use in practice CA issues certificates to the users 41 Naming and Certificates Certification authority s vouch for the identity of an entity - Distinguished Names (DN). /O=Polytechnic University/OU=CS/CN=John Doe Although CN may be same, DN is different. Policies of certification Authentication policy What level of authentication is required to identify the principal. Issuance policy Given the identity of principal will the CA issue a certificate? 42

Types of Certificates CA s vouch at some level the identity of the principal. Example Verisign: Class 1 Email address Class 2 Name and address verified through database. Class 3- Background check. 43 Public Key Certificate Public Key Certificate Signed messages specifying a name (identity) and the corresponding public key. Signed by whom Certification Authority (CA), an organization that issues public key certificates. We assume that everyone is in possession of a trusted copy of the CA s public key. CA could be Internal CA. Outsourced CA. Trusted Third-Party CA. 44

Public Key Certificate Unsigned certificate: contains user ID, user's public key Generate hash code of unsigned certificate H E Encrypt hash code with CA's private key to form signature Note: Mechanism of certification and content of certificate, will vary but at the minimum we have email verification and contains ID and Public Key. Signed certificate: Recipient can verify signature using CA's public key. 45 Certificate Verification/Validation 46

Certificate Revocation CA also needs some mechanism to revoke certificates Private key compromised. CA mistake in issuing certificate. Particular service the certificate grants access to may no longer exist. CA compromised. Expiration time solves the problems only partially. Certification Revocation Lists (CRL) a list of every certificate that has been revoked but not expired. CRL s quickly grow large! CRL s distributed periodically. What about time period between revocation and distribution of CRL? Other mechanisms OCSP (online certificate status protocol) 47 X.509 Clearly, there is a need for standardization X.509. Originally 1988, revised 93 and 95. X.509 is part of X.500 series that defines a directory service. Defines a framework for authentication services by X.500 directory to its users. Used in S/MIME, IPSEC, SSL etc. Does not dictate use of specific algorithm (recommends RSA). 48

X.509 Certificate Signature algorithm identifier Period of validity Version Certificate Serial Number algorithm parameters Issuer Name not before not after Version 1 Version 2 Signature algorithm identifier Revoked certificate algorithm parameters Issuer Name This Update Date Next Update Date user certificate serial # revocation date Subject's public key info Subject Name algorithms parameters key Issuer Unique Identifier Subject Unique Identifier Version 3 Revoked certificate Signature user certificate serial # revocation date algorithms parameters encrypted Signature Extensions algorithms parameters encrypted all versions (b) Certificate Revocation List (a) X.509 Certificate 49 Advantages of CA Over KDC CA does not need to be on-line all the time! CA can be very simple computing device. If CA crashes, life goes on (except CRL). Certificates can be stored in an insecure manner!! Compromised CA cannot decrypt messages. Scales well. 50

Internet Certificate Hierarchy Internet Policy Registration Authority Policy Certification Authorities Certification Authority Individuals/roles/orgs. 51 Types of certificates Organizational Certificates Principal s affiliation with an organization Residential certificates Principal s affiliation with an address Persona Certificates Principal s Identity Principal need not be a person. It could be a role. 52

Public-key Infrastructure (PKI) Combination of digital certificates, public-key cryptography, and certificate authorities. A typical enterprise's PKI encompasses issuance of digital certificates to users and servers end-user enrollment software integration with corporate certificate directories tools for managing, renewing, and revoking certificates; and related services and support Verisign, Thawte and Entrust PKI providers. Your own PKI using Mozilla/Microsoft certificate servers 53 Problems with PKI Private Key Where and how is private key stored? Host encrypted with pass phrase Host encrypted by OS or application Smart Card Assumes secure host or tamper proof smartcard. 54

Problems with PKI - Conflicts X.509, PGP and IPRA remain silent on conflicts. They assume CA s and PCA s will ensure that no conflicts arise. But in practice conflicts may exist John A. Smith and John B. Smith may live at the same address. 55 Trustworthiness of Issuer A certificate is the binding of an external identity to a cryptographic key and a distinguished name. If the issuer can be fooled, all who rely upon the certificate can be fooled How do you trust CA from country XYZ (your favorite prejudice). 56

Further Reading MIT Kerberos site: http://web.mit.edu/kerberos/www/ Kerberos RFC: RFC-1510 X.509 page http://www.ietf.org/html.charters/pkixcharter.html Ten Risks of PKI - http://www.schneier.com/paper-pki.html 57 Some questions Can a KDC learn communication between Alice and Bob, to whom it issued keys? Can a CA learn communication between Alice and Bob, to whom it issued certificates? What happens if the CA is online all the time? Alice uses her private key, public key pairs and a CA issued certificate. She learnt that Eve might have leaned her key. What should she do? 58

Some questions AES CBC MAC is ------- than HMAC, computationally (for same key sizes)? Does HMAC provide non-repudiation? 59 Sometimes when you access an https website, you get a security warning. What is that warning for? Sometimes when you connect to an SSH server, you get a security warning. What is that warning for? What is a self-signed certificate? Computation time to MD5 a 100bytes long file is the same as for a 100MB file. Right? 60

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback