Introduction to Cybersecurity Digital Signatures

Similar documents
Protocols for Anonymous Communication

ENEE 459-C Computer Security. Security protocols (continued)

ENEE 459-C Computer Security. Security protocols

CS 134 Winter Privacy and Anonymity

Network Security: Anonymity. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

A SIMPLE INTRODUCTION TO TOR

0x1A Great Papers in Computer Security

Anonymous Communication: DC-nets, Crowds, Onion Routing. Simone Fischer-Hübner PETs PhD course Spring 2012

Anonymity and Privacy

Crypto-systems all around us ATM machines Remote logins using SSH Web browsers (https invokes Secure Socket Layer (SSL))

Context. Protocols for anonymity. Routing information can reveal who you are! Routing information can reveal who you are!

Anonymity. Assumption: If we know IP address, we know identity

CPSC 467b: Cryptography and Computer Security

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

Network Security: Anonymity. Tuomas Aura T Network security Aalto University, Nov-Dec 2012

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

The Tor Network. Cryptography 2, Part 2, Lecture 6. Ruben Niederhagen. June 16th, / department of mathematics and computer science

communication Claudia Díaz Katholieke Universiteit Leuven Dept. Electrical Engineering g ESAT/COSIC October 9, 2007 Claudia Diaz (K.U.

Cryptography V: Digital Signatures

Solution of Exercise Sheet 10

Security and Anonymity

anonymous routing and mix nets (Tor) Yongdae Kim

Public Key Algorithms

Onion Routing. Varun Pandey Dept. of Computer Science, Virginia Tech. CS 6204, Spring

Network Security: Anonymity. Tuomas Aura T Network security Aalto University, autumn 2015

Cryptography III. Public-Key Cryptography Digital Signatures. 2/1/18 Cryptography III

Anonymity on the Internet. Cunsheng Ding HKUST Hong Kong

Cryptography V: Digital Signatures

Blind Signatures and Their Applications

CPSC 467: Cryptography and Computer Security

Data Security and Privacy. Topic 14: Authentication and Key Establishment

CS Paul Krzyzanowski

Introduction to Cryptography Lecture 7

CSE484 Final Study Guide

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Encryption. INST 346, Section 0201 April 3, 2018

Introduction to Cryptography Lecture 7

Computer Security. 15. Tor & Anonymous Connectivity. Paul Krzyzanowski. Rutgers University. Spring 2017

Part VI. Public-key cryptography

CNT Computer and Network Security: Privacy/Anonymity

Private Browsing. Computer Security. Is private browsing private? Goal. Tor & The Tor Browser. History. Browsers offer a "private" browsing modes

Kurose & Ross, Chapters (5 th ed.)

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

Lecture 8: Privacy and Anonymity Using Anonymizing Networks. CS 336/536: Computer Network Security Fall Nitesh Saxena

Security. Communication security. System Security

Public-key Cryptography: Theory and Practice

Anonymous communications: Crowds and Tor

L13. Reviews. Rocky K. C. Chang, April 10, 2015

CS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

ח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms

1 Identification protocols

HOST Cryptography I ECE 525. Cryptography Handbook of Applied Cryptography &

Chapter 8 Security. Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

Chapter 9 Public Key Cryptography. WANG YANG

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Applied Cryptography and Computer Security CSE 664 Spring 2018

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

CSC 474/574 Information Systems Security

Anonymous Connections and Onion Routing

CS Computer Networks 1: Authentication

CS232. Lecture 21: Anonymous Communications

Privacy Enhancing Technologies CSE 701 Fall 2017

CSE 127: Computer Security Cryptography. Kirill Levchenko

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms. EJ Jung

Introduction to Computer Security

Overview. Public Key Algorithms I

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

Privacy defense on the Internet. Csaba Kiraly

How Alice and Bob meet if they don t like onions

14. Internet Security (J. Kurose)

Feedback Week 4 - Problem Set

Analysing Onion Routing Bachelor-Thesis

Lecture 10, Zero Knowledge Proofs, Secure Computation

Secure Multiparty Computation

Lecture 2 Applied Cryptography (Part 2)

Lecture 30. Cryptography. Symmetric Key Cryptography. Key Exchange. Advanced Encryption Standard (AES) DES. Security April 11, 2005

CS 161 Computer Security

Cryptography: More Primitives

PROTECTING CONVERSATIONS

Definition. Quantifying Anonymity. Anonymous Communication. How can we calculate how anonymous we are? Who you are from the communicating party

Anonymity With material from: Dave Levin

CS526: Information security

CS 356 Internet Security Protocols. Fall 2013

Other Topics in Cryptography. Truong Tuan Anh

Grenzen der Kryptographie

key distribution requirements for public key algorithms asymmetric (or public) key algorithms

Lecture 3.4: Public Key Cryptography IV

Tor: An Anonymizing Overlay Network for TCP

CIS 551 / TCOM 401 Computer and Network Security. Spring 2008 Lecture 23

BCA III Network security and Cryptography Examination-2016 Model Paper 1

Anonymous Communication and Internet Freedom

Information Security CS 526

Anonymity. With material from: Dave Levin and Michelle Mazurek

Anonymity C S A D VA N C E D S E C U R I T Y TO P I C S P R E S E N TAT I O N BY: PA N AY I OTO U M A R KO S 4 T H O F A P R I L

Transcription:

Introduction to Cybersecurity Digital Signatures

Lecture Summary Digital Signatures Basic Definitions RSA-based Signatures Attacks 1

Digital signatures Goal of digital signatures: Alice s private key Sign Plaintext with signature Alice s public key Verify Alice Plaintext Plaintext Only the secret key allows for creating signatures Everybody can verify the validity of signatures using the respective public key Signatures serve as undisputable evidence that the respective person signed the message Bob 2

Definition of digital signatures Definition: Digital Signatures A digital signature scheme is a triple of algorithms (K, S, V) such that: The randomized key generation algorithm K takes no input and returns a key (pk, sk). The (randomized or stateful) signing algorithm S takes a secret key sk and a message m and returns a tag t. The deterministic verification algorithm V takes a public key pk, a message m and a tag t and returns a bit b 0,1. The message space M pk for a public key pk is the set of all m such that S(sk, m) does not output a distinguished error symbol for all sk with pk, sk [K]. Correctness: The above algorithms have to satisfy the following property: For any key pair (pk, sk) [K], any message m M pk, and any tag t [S sk, m ], we have that V pk, m, t = 1. 3

Definition of Digital Signatures Technical difference to public-key encryption: Signature schemes often maintain state Differences to MACs and consequences: Key transmission has to be authentic but not necessarily secret Non-repudiation! (Can use signatures as evidence at a third party) 4

CMA Game (for digital signatures) Challenger(n) (pk, sk) K t i S(sk, m i ) CMA Exp In,A n pk m i M pk t i (m, t ) Adversary(n) Output 1 if V pk, m, t = 1 and m, t { m 1, t 1,, m q, t q } Definition: CMA-Security of digital signatures A sequence of signature schemes I = I n n N = K n, S n, V n n N is secure against existential forgery under chosen-message attack (CMA) if for all efficient adversaries A = A n n N, we have that Pr[Exp CMA In,A n = 1] is negligible. 5

Naïve RSA-based signatures Naïve use: Key Generation as for RSA encryption for primes p, q: Set N pq Pick random e, with 1 e φ N and gcd e, φ N = 1 } Can be publicly known Set d e 1 mod φ(n) Set pk (N, e) Set sk d Output (pk, sk) 6

Naïve RSA-based signatures Naïve use: Signing S(sk, m) Set t m d mod N Output t Correctness: t e m ed m mod N Verifying V pk, m, t Test if t e m mod N Output b {0,1} 7

Attacks on Naïve RSA-based Signatures Existential forgery under passive attacks: Given (N, e), adversary has to find (m, t) such that t e m mod N Idea: Pick arbitrary t, and output t e, t Forgery on the message t e mod N. 8

Attacks on Naïve RSA-based Signatures Selective forgery under active attacks, blinding attack: Adversary wants signature on m Pick random r Z N and compute m m r e mod N Ask signer to sign m. Result: m, t where t e m mod N Compute t t r Indeed we have t e t e r e mod N m m re re r e m mod N Originally attack against RSA signature schemes Now special primitive (blind signature), used in anonymous digital cash, election systems, etc. 9

Attacks on Naïve RSA-based Signatures Countermeasures: 1. Add redundancy to the message 2. Hash message before signing Hash-then-sign general concept, often even introduced as the only way to sign in books Advantage: Allows for signing arbitrarily long messages Required properties for hash to make the system secure? 10

Introduction to Cybersecurity Anonymity and Privacy

Lecture Summary Introduction to Privacy Motivation Example: Browser Cookies Basic Principles of Data Protection Network Anonymity Dining Cryptographers Mix-Networks Low Latency Anonymous Communication VPNs, Onion Routing and Tor Tor Vulnerabilities 12

Motivation What is privacy? Privacy is the ability of an individual or group to seclude themselves, or information about themselves, and thereby express themselves selectively. When something is private to a person, it usually means that something is inherently special or sensitive to them. The domain of privacy partially overlaps security, which can include the concepts of appropriate use, as well as protection of information. Wikipedia (2014) 13

Motivation Privacy in the internet Alice shares her opinion in an Online Social Network. As a consequence, her employer, who dislikes that opinion, fires Alice. Alice insults my dog! Time to get rid of her I like cats, but I hate dogs. 14

Examples of Privacy Breaches Online Advertisement Cookie Tracking What is a cookie? 15

Refresher: What is a Cookie? GET /index.html HTTP/1.1 Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Language: en Connection: Keep-Alive User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95) Host: www.example.com Referer: http://www.google.com?q=dingbats www.example.com www.example.com HTTP Request HTTP Response HTTP/1.0 200 OK Date: Sun, 21 Apr 1996 02:20:42 GMT Server: Microsoft-Internet-Information-Server/5.0 Connection: keep-alive Content-Type: text/html Last-Modified: Thu, 18 Apr 1996 17:39:05 GMT Set-Cookie: Content-Length: 2543 <HTML> Some data... blah, blah, blah </HTML> 16

Refresher: What is a Cookie? www.example.com GET /index.html HTTP/1.1 Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Language: en Connection: Keep-Alive User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95) Host: www.example.com Referer: http://www.google.com?q=dingbats Cookie: Always sent back to this server (during time to live). www.example.com HTTP Request HTTP Response HTTP/1.0 200 OK Date: Sun, 21 Apr 1996 02:20:42 GMT Server: Microsoft-Internet-Information-Server/5.0 Connection: keep-alive Content-Type: text/html Last-Modified: Thu, 18 Apr 1996 17:39:05 GMT Set-Cookie: Content-Length: 2543 <HTML> Some data... blah, blah, blah </HTML> 17

Examples of Privacy Breaches Online Advertisement Cookie Tracking Bob just visited economist.com pcworld.com HTTP request for ad images, passing cookies + referrer to doubleclick.net www.economist.com www.sportsnews.com www.pcworld.com ad.doubleclick.net 18

Tradeoff Utility-Privacy The doctor needs private information about you in order to make a qualified diagnosis. If you hide relevant but private information, this may lead to a false diagnosis. My symptoms include fever and headache. Maybe you have the flu. 19

Tradeoff Utility-Privacy The doctor needs private information about you in order to make a qualified diagnosis. If you hide relevant but private information, this may lead to a false diagnosis. Last week, I was in a tropical region and now I suffer from fever and headache. To be sure, we need to test you for Malaria. 20

Differences to other Security goals A large part of privacy is about what other parties actually do with your data. Even, if you are sure that only your doctor knows about your private data, what does he do with this information? Does he use your data only for the intended purpose without further distributing it to other parties? 21

Basic Principles of Data Protection Law in Germany Prohibition of conditional permission: Collecting personal data is forbidden, unless - explicitly permitted by the law - or the person concerned gave explicit consent. Principle of immediacy: The personal data have to be collected directly from the person concerned. Principle of data avoidance and data economy. Data processing system should strive to use no (or as little as possible) personally identifiable data. 22

Basic Principles of Data Protection Law in Germany Principle of Transparency: A person whose data are collected has to be informed about the purposes of collection, processing and use. Principle of Earmarking (purpose bound): If data can collected for a particular purpose, processing it is strictly bound to this purpose. 23

Lecture Summary Introduction to Privacy Motivation Example: Browser Cookies Basic Principles of Data Protection Network Anonymity Dining Cryptographers Mix-Networks Low Latency Anonymous Communication VPNs, Onion Routing and Tor Tor Vulnerabilities 24

Anonymity It is a state of being not identifiable within a set of subjects/individuals Internet is designed to be public place - Routing information is public - IP packet headers identify source and destination Even a passive observer can easily figure out who is talking to whom Encryption does not and cannot hide identities - Encryption hides payload, but not routing information 25

Anonymity in the Digital Era Positive aspects - Avoiding from detection, retribution, and embarrassment - Freedom of expression - Whistle-blowing... Negative aspects (Illegal activity) - Anonymous bribery - Copyright infringement - Harassment and financial scams - Disclosure of trade secrets... 26

Anonymity vs. Privacy Privacy - Privacy is the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others Anonymity - The state of being not identifiable within a set of subjects/individuals - It is a property exclusively of individuals Privacy!= Anonymity - Anonymity is a way to maintain privacy, and sometimes it is not necessary 27

Anonymity vs. Privacy Privacy preserving protocols are not pervasively used - Reasons: Efficiency, Overhead, Law, Surveillance The Internet has become a mass surveillance system - NSA s Prism Program http://prism-break.org/ Global heat map of the Prism program (Credit: The Guardian) 28

Anonymous Communication A simple Example Three cryptographers are having dinner. Either NSA is paying for the dinner, or One of them is paying, but wishes to remain anonymous. 1. Each diner flips a coin and shows it to his left neighbor. - Every diner will see two coins: his own and his right neighbor s 2. Each diner announces whether the two coins are the same. If he is the payer, he lies (says the opposite). 3. Odd number of same NSA is paying; even number of same one of them is paying - But a non-payer cannot tell which of the other two is paying! 29

Dining Cryptographers - Share secret coin with left diner - Can you infer who pays? different different? NSA pays 31

Dining Cryptographers - Share secret coin with left diner - Can you infer who pays? same different? payer payer Without knowing the coin toss between the other two, non-payer cannot tell which of them is lying 32

Anonymous Network Communication Entities (subjects and objects) and Actions Subjects execute actions on objects Senders Communication Network Recipients Messages Subjects called senders send objects called messages to subjects called recipients using a communication network 34

Network Adversary The attacker uses all information available to him to infer (probabilities of) his items of interest (IOIs) Attacker capabilities - He controls some communication lines and a few subjects - He is not able to get information on the sender or recipient from the message content Senders Communication Network Recipients Messages Attacker 35

Anonymity Notions various notions of anonymity: - Subject Anonymity Sender Anonymity Recipient Anonymity - Relationship Anonymity - Unlinkability =? 36

Anonymous Communication (AC) Protocols Various AC protocols with different goals: - Low Latency Overhead - Low Communication Overhead - High Traffic-Analysis Resistance Communication Complexity Latency Typically categorized by latency overhead: - low-latency AC protcols e.g. Tor, DC Nets, Crowds Traffic-Analysis Resistance - high-latency AC protocols e.g. Mix networks 37

Anonymous Email Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms -Chaum, 1981 Proposes solution to the cryptographic traffic analysis problem: keeping confidential who converses with whom, and when they converse Idea: Use Public-Key Crypto and special communication network Shuffle all messages before forwarding to recipients! Senders Shuffler Recipients? 38

Mix-Server: Basics N senders S 1,, S N with messages m 1,, m N senders want to publish messages anonymously S 1 E pk (m 1 ) publish public key pk S 2 E pk (m 2 ) MS m π(1) m π(2) E pk (m N ) m π(n) S N decrypt and output messages as permutation collect N messages 39

Definition: Mix Network But: What if mix server is compromised? Mix Network: A group of mix servers that operate sequentially Server 1 Server 2 Server 3??? Inputs Outputs distribute trust to protect against compromised mix servers 40

Mix Networks - Requirements Correctness: Output is a permutation of the inputs. Privacy: if at least one Mix-Server conceals his mixing the senders cannot be linked to their respective output. Public Verifiability: Honesty of Mix-Servers can be verified publicly Soundness: public verification guarantees correctness. Robustness: Mix Network still works correctly under restricted failure conditions 41

Mix Networks De-cryption Networks (Chaum Mixes) use layered encryption that is decrypted layer by layer m 1 Server 1 Server 2 Server 3 m π1 (1) m π2 (π 1 (1)) m π3 (π 2 (π 1 (1))) m 2 Decrypt Shuffle m π1 (2) Decrypt Shuffle m π2 (π 1 (2)) Decrypt Shuffle m π3 (π 2 (π 1 (2))) m N m π1 (N) m π2 (π 1 (N)) m π3 (π 2 (π 1 (N))) Requirements: - Correctness - Public Verifiability - Privacy - Soundness - Not Robustness Robust! Question: Are all mix network requirements fulfilled? 42

Mix Networks Re-encryption networks ElGamal allows for Re-encryption of ciphertexts! m 1 Server 1 Server 2 Server 3 m π1 (1) m π2 (π 1 (1)) m π3 (π 2 (π 1 (1))) m 2 Shuffle Re-encrypt m π1 (2) Shuffle Re-encrypt m π2 (π 1 (2)) Shuffle Re-encrypt m π3 (π 2 (π 1 (2))) m N m π1 (N) m π2 (π 1 (N)) m π3 (π 2 (π 1 (N))) Threshold Decryption that only relies on a fraction of the mix servers to work correctly 43

Lecture Summary Introduction to Privacy Motivation Example: Browser Cookies Basic Principles of Data Protection Network Anonymity Dining Cryptographers Mix-Networks Low Latency Anonymous Communication VPNs, Onion Routing and Tor Tor Vulnerabilities 44

High vs. Low Latency Mix servers need to wait for at least N messages Incur high latency overhead in real network communication Low Latency AC Protocols Aim: To keep latency/delay due to the AC protocol small such that its existence/usage is transparent to the user Useful for applications such as - web browsing - instant messaging, tele-conferencing - web services such as internet banking 45

VPNs (e.g. anonymizer.com) Idea: use intermediate server to serve as proxy for user s actions -> Proxy Server Sender Proxies Recipient Problem: - Requires trust in proxy server Question: What happens if proxy is compromised? 46

Towards Onion Routing Similar to mix networks, distribute trust across various servers Sender Proxies Recipient Problem: - Single compromised proxy sufficient to break anonymity! Question: What happens if a proxy is compromised? 47

Onion Routing Circuit Construction Establish symmetric keys between the sender and proxy nodes such that - only the sender and a proxy node knows the key, and - a proxy node does not know entities other than its neighbors on the path (or circuit) Onion Routers Recipient Sender 48

Onion Routing Onion Transfer The sender creates a layered encryption of message (onion) and send it to the first node in her circuit Each proxy decrypts one layer of the onion and forwards to next proxy Sender 3 Onion Routers m Recipient m m 1 m 2 49

Intermezzo: Diffie-Hellman key exchange Alice g, p x R G g xy mod p g x mod p g y mod p shared secret Bob g, p y R G g xy mod p Publicly known: p large prime number, g generator for group of order p Computational Diffie-Hellman Assumption: Given the triple (g, g a, g b ), it is computationally infeasible to determine the value of g ab. 50

Second Generation Onion Routing Idea: use telescope construction together with Diffie-Hellmann key exchange to generate ephemeral, symmetric session keys! Onion Routers Sender 3 Recipient 1 2 51

Second Generation Onion Routing Example: 2 hop circuit construction to surf a webpage Browsing Key Exchange Webpage 52

Tor Tor (https://www.torproject.org) - Intended to provide anonymity over the Internet - Running since October 2003 - Implements 2 nd Generation OR Tremendously successful! - > 2,000,000 users all over the world - > 7000 OR (volunteers) nodes/proxies/router metrics.torproject.org The second most employed privacy enhancing technology after the TLS protocol 53

Tor Vulnerabilities Traffic Analysis adversary can observe traffic at different locations in the network If traffic looks similar it likely belongs to the same user! 54

Tor Vulnerabilities Traffic Analysis low communication overhead results in low traffic analysis resistance alternatives with high traffic-analysis resistance - e.g. Crowds, DC nets etc. - cause high communication overhead Communication Complexity Latency low traffic analysis resistance one of the biggest problem of today s AC networks! Traffic-Analysis Resistance 55

Tor Vulnerabilities DNS Leaks DNS requests not sent through Tor network by default Attacker could see what websites are being visited by examining DNS requests external software such as Foxyproxy and Privoxy can be used to route DNS requests through tor network, but this is _not_ default behavior 56

Lecture Summary Introduction to Privacy Motivation Example: Browser Cookies Basic Principles of Data Protection Network Anonymity Dining Cryptographers Mix-Networks Low Latency Anonymous Communication VPNs, Onion Routing and Tor Tor Vulnerabilities 57

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback