CS 161 Computer Security

Similar documents
CS 161 Computer Security

CS 161 Computer Security

CS 161 Computer Security

CS 161 Computer Security

1 Identification protocols

Password. authentication through passwords

CS 161 Computer Security

ECEN 5022 Cryptography

CS Computer Networks 1: Authentication

UNIT - IV Cryptographic Hash Function 31.1

Cryptography III. Public-Key Cryptography Digital Signatures. 2/1/18 Cryptography III

Public-key Cryptography: Theory and Practice

Message authentication. Why message authentication. Authentication primitives. and secure hashing. To prevent against:

CS 161 Computer Security

Digital Signatures. Luke Anderson. 7 th April University Of Sydney.

CS 161 Computer Security

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

CS 161 Computer Security

CIS 4360 Secure Computer Systems Symmetric Cryptography

CIS 4360 Secure Computer Systems Applied Cryptography

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Data Integrity. Modified by: Dr. Ramzi Saifan

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Module: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

Kurose & Ross, Chapters (5 th ed.)

CS 161 Computer Security. Week of September 11, 2017: Cryptography I

CS408 Cryptography & Internet Security

Lecture 4: Hashes and Message Digests,

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

Computer Security. 10. Exam 2 Review. Paul Krzyzanowski. Rutgers University. Spring 2017

Bitcoin, Security for Cloud & Big Data

Symmetric Encryption 2: Integrity

Message authentication

Test 2 Review. 1. (10 points) Timestamps and nonces are both used in security protocols to prevent replay attacks.

Cryptographic Checksums

CPSC 467: Cryptography and Computer Security

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

Cryptographic Hash Functions

Unit 8 Review. Secure your network! CS144, Stanford University

CPSC 467b: Cryptography and Computer Security

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Exercises with solutions, Set 3

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

Key Exchange. References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings

Chapter 9 Public Key Cryptography. WANG YANG

===============================================================================

Lecture 7 - Applied Cryptography

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).

CSE 127: Computer Security Cryptography. Kirill Levchenko

Homework 1 CS161 Computer Security, Spring 2008 Assigned 2/4/08 Due 2/13/08

CS 161 Computer Security

Homework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.

Cryptographic hash functions and MACs

ח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms

Strong Password Protocols

ECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

Spring 2010: CS419 Computer Security

1. Diffie-Hellman Key Exchange

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to talk so much?!? Content taken from the following:

Lecture 1: Course Introduction

Introduction to Cryptography. Ramki Thurimella

Lecture 18 Message Integrity. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ

Computer Security 3/20/18

Computer Security. 08. Authentication. Paul Krzyzanowski. Rutgers University. Spring 2018

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Cryptography. Recall from last lecture. [Symmetric] Encryption. How Cryptography Helps. One-time pad. Idea: Computational security

Other Topics in Cryptography. Truong Tuan Anh

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

CPSC 467b: Cryptography and Computer Security

CS 161 Computer Security

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to share so many secrets?!?

Cryptography: More Primitives

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

2.1 Basic Cryptography Concepts

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

CSC/ECE 774 Advanced Network Security

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

CS155. Cryptography Overview

CS 645 : Lecture 6 Hashes, HMAC, and Authentication. Rachel Greenstadt May 16, 2012

What did we talk about last time? Public key cryptography A little number theory

1 Defining Message authentication

Key Establishment and Authentication Protocols EECE 412

Please ensure answers are neat and legible. Illegible answers may be given no points.

CS 425 / ECE 428 Distributed Systems Fall 2017

n-bit Output Feedback

CS 161 Computer Security

Test 2 Review. (b) Give one significant advantage of a nonce over a timestamp.

Chapter 9: Key Management

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

RSA Cryptography in the Textbook and in the Field. Gregory Quenell

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Computer Security Spring Hashes & Macs. Aggelos Kiayias University of Connecticut

CS November 2018

Transcription:

Paxson Spring 2017 CS 161 Computer Security Discussion 6 Week of March 6, 2017 Question 1 Password Hashing (10 min) When storing a password p for user u, a website randomly generates a string s (called a salt ), and saves the tuple (u, s, r = H(p s)), where H is a cryptographic hash function. (a) Say user u tries to log in submitting a password p (which may or may not be the same as p). How does the site check if the user should be allowed to log in? (b) Why use a hash function H rather than just store (u, p)? Isn t that just so much simpler? Keep It Simple Stupid, right? (c) What is the purpose of the salt s? (d) Suppose the site has three candidate hash function to choose from, H 1, H 2, and H 3. They each satisfy the following properties as displayed in the table. Functions One-Way Second Pre-Image Resistant Collision Resistant H 1 Yes No No H 2 Yes Yes No H 3 Yes Yes Yes Which of these hash functions are suitable choices for the website s password hashing scheme, in that they provide a significant gain in security over just storing passwords? Solution: (a) The site finds the tuple with user u, and compute H(p s) using the s in the user s tuple. If this hash output is equivalent to the stored r value, then the user submitted a valid password and is allowed to log into the account. (b) If the hash function is secure (discussed further in part (d)), then even if an attacker hacks into the site and obtains all of the user tuples, that still won t enable recovery of their passwords. (c) A general method for attackers to recover passwords from their hashes is to employ dictionary attacks: the attacker has a (large) list of possible/common passwords and tries each one to see if it yields an observed hash. If so, then the attacker has identified a working password for the associated account. One countermeasure for defenders is to employ an expensive hash function: one that requires significant computation to evaluate. Doing so slows down the rate Page 1 of 6

at which attackers can try different passwords from their dictionary. An easy way to generate an expensive hash function is to use N iterations of a standard hash function such as SHA-256, where N might be 1,000, increasing the time required to try a given password from microseconds to milliseconds. In response to this countermeasure, attackers can precompute the hashes corresponding to their password dictionary, so that once in possession of a set of hashed passwords, they still can quickly locate ones that correspond to entries in their dictionary. Using a salt is a counter-countermeasure to this technique. If precomputing, the attacker must now derive hashes for each possible salt. If the salt has s bits, then this increases the dictionary computation (and size) by a factor of 2 s. Thus, for a sufficiently large salt, the attacker gains no benefit from precomputation: the best they can do is run through their dictionary anew after acquiring the tuples (which, recall, include the associated salts). (d) All of them actually are secure, since one-way is the main property needed. Essentially, if the attacker gets a hold of a user s hash value, they need to find a pre-image to be able to impersonate that user. This is prevented by the hash functions one-wayness. Second pre-image resistance s definition is based on already knowing one password, and finding another that hashes to the same output. This is not an issue that is a threat to the website s password validation process. Similarly, collision resistance involves finding any two passwords that hash to the same output, again an unnecessary property. Discussion 6 Page 2 of 6 CS 161 SP 17

Question 2 Confidentiality and Integrity (30 min) Alice and Bob want to communicate with both confidentiality and integrity. They have: A symmetric key encryption function E(K, M) and corresponding decryption function D(K, M). They have already securely shared the key K. A cryptographic hash function H (recall that H is not keyed, so anyone can compute H(x) given x). A secure MAC generation function MAC(K, M). RSA Signature Algorithm SIGN d (M) and VERIFY n (M, S), with d being Alice s private key and n being her public key. (For convenience, we often leave out mention of e as part of the public key.) You may assume that H, E, F, and SIGN d do not interfere with each other when used in combination for example, if you compute H(E(K, M)), the message M will be confidential because E guarantees it, and the computation of H makes no difference. To send message M to Bob, Alice has the option to use any of the six schemes listed below. Alice Sends to Bob 1. C = H(E(K, M)) 2. C = C 1, C 2 : where C 1 = E(K, M) and C 2 = H(E(K, M)) 3. C = C 1, C 2 : where C 1 = E(K, M) and C 2 = MAC(K, M) 4. C = C 1, C 2 : where C 1 = E(K, M) and C 2 = MAC(K, E(K, M)) 5. C = SIGN d (E(K, M)) 6. C = C 1, C 2 : where C 1 = E(K, M) and C 2 = E(K, SIGN d (M)) (a) Consider the threat model where Eve is only able to eavesdrop and Alice and Bob are using the key K for the first time and will use it once and only once. Furthermore, Eve has no additional information about the plaintext messages that will be sent. For each scheme above, determine whether or not the scheme (1) provides confidentiality and (2) if Bob is able to correctly decrypt the message (if he is able to, write down the decryption procedure). Solution: Only option 3 does not provide confidentiality, because the MAC is sent in plaintext, and MACs are not guaranteed to provide confidentiality (they could leak information about message M). For example, consider the secure MAC: LeakyMAC(m) = HMAC(m) m. LeakyMAC is a secure MAC (any attack that managed to forge a MAC for LeakyMAC could be used to forge a MAC for the standard HMAC), but LeakyMAC clearly leaks the full message m! A less contrived way to see this is that if M 1 = M 2, then MAC(M 1 ) = MAC(M 2 ), i.e., if Eve sees the MAC for two different messages that happen to have the same contents, then she ll be able to tell that the messages were the same, which violates our confidentiality goals. Discussion 6 Page 3 of 6 CS 161 SP 17

Bob cannot decrypt Option 1 because he cannot invert H. Similarly, he cannot extract the original message from the signature sent in Option 5. A side note: When sending a signature S = SIGN d (M), we also need to send the message M too. The recipient will need the message M to be able to verify the signature. Notice that the signature S doesn t include/reveal the message. For example, for RSA, the signature S is defined as S = H(M) d mod n, so it depends on the hash of the message; given H(m), you can t recover M (since cryptographic hashes are one-way). Also, a signature is a short fixed-length value: e.g., with a 2048-bit RSA modulus (if n is 2048 bits), the signature is 2048 bits long. Obviously that s not long enough to carry a long message M. This is why Option 5 is not decryptable. (b) Now consider the threat model where Mallory is able to eavesdrop and actively alter/forge the message Alice sends to Bob. For each decryptable scheme, determine whether or not the scheme provides integrity; that is, will Bob be able to detect any tampering with the message? If the scheme provides integrity, describe how Bob checks the integrity of the message. If not, describe how Mallory could alter the message without Bob detecting. Solution: Option 2 does not provide integrity, as Mallory can forge a message by sending Bob C 1, H(C 1) Option 3 and 4 provide integrity because if Mallory alters C 1 into C 1, she cannot alter C 2 into a valid C 2 because she cannot find the correct MAC tag. Option 6 provides integrity, because if Mallory alters C 1 into C 1, she cannot alter C 2 into a valid C 2 because she does not have the private key to forge the digital signature Note: Using the same key K in Option 4 for encryption and MAC generation is generally a bad idea in practice. Depending on what encryption scheme E is used and what MAC generation algorithm F is used, using the same key K could cause vulnerabilities/exploits. It s better to use 2 independent keys, K 1 for encryption and K 2 for MAC generation. (c) If Alice and Bob use these schemes to send many messages, the schemes become vulnerable to a replay attack. In a replay attack, Mallory remembers a message that Alice sent to Bob, and some time later sends the exact same message to Bob, and Bob will believe that Alice sent the message. How might Alice and Bob redesign the scheme to prevent or detect replay attacks? Solution: One possible way is for Alice to include nonces in her message. A nonce is an arbitrary number that can only be used once. Alice can, along with Discussion 6 Page 4 of 6 CS 161 SP 17

her message, send a nonce as well as either a MAC or Digital Signature of this nonce to Bob. This prevents replay attacks because Bob can realize if he gets the same message twice. The MAC/Digital Signature of the nonce is important because it protects the integrity of the nonce. Summary Chart: Alice Sends to Bob Conf Integ Decryption + Integ-Check (if applicable) 1. C = H(E(K, M)) yes N/A (can t decrypt) can t 2. C 1 = E(K, M), C 2 = H(E(K, M)) yes no M = D(K, C 1 ) 3. C 1 = E(K, M), C 2 = MAC(K, M) no yes M = D(K, C 1 ) and C 2? = MAC(K, M) 4. C 1 = E(K, M), C 2 = MAC(K, E(K, M)) yes yes M = D(K, C 1 ) and C 2? = MAC(K, C 1 ) 5. C 1 = SIGN d (E(K, M)) yes N/A (can t decrypt) can t 6. C 1 = E(K, M), C 2 = E(K, SIGN d (M)) yes yes M = D(K, C 1 ) and VERIFY n (M, D(K, C 2 )) Question 3 Public Key Basics (10 min) Assume Alice and Bob are trying to communicate over an insecure network with public key encryption. Both Alice and Bob have published their public keys on their websites. (You can assume they already know each other s correct public key) (a) Alice receives a message: Hey Alice, it s Bob. You owe me 100 bucks. Plz send ASAP. The message is encrypted with Alice s public key. Can she trust it? Solution: No, she cannot. As the name implies, a public key is generally publicly known. Anyone can go to Alice s website and use her public key to encrypt whatever they want. (b) Bob receives a message: Hey Bob, that last message you sent me was sketchy. I don t think I owe you 100 bucks. You owe me. The message is digitally signed using Alice s private key. Can he trust it was from Alice? How does he verify this message? Solution: Yes. As long as Alice has kept her private key secure, she is the only one who could construct such a message. Bob (and anyone else) can verify it using Alice s public key. Note that because they operate in a public key setting, signatures provide three properties: integrity, authenticity, and non-repudiation; the last of which is not provided by symmetric key MACs. Since Alice has published her public key to the world, everyone knows that the public key belongs to Alice; and anyone can use the public key to verify if a signature was generated using the corresponding private key. Only Alice can generate signatures that correctly verify under her public key because she s the only one who knows the private signing key. Thus, Discussion 6 Page 5 of 6 CS 161 SP 17

if anyone sees a message with a signature that verifies under Alice s public key, it must ve been signed by Alice. Note that when we say the message is digitally signed, Alice will need to send both the message and the signature. (c) Alice receives a message: Hey Alice, I know things have been rough these last two messages. But I trust you now. Here s the password to my Bitcoin wallet which has over $100. The message is encrypted with Alice s public key. Alice decrypted this and tested the password, and it was in fact Bob s! Can an eavesdropper figure out the password? Solution: No. An eavesdropper would not have Alice s private key, which is needed to decrypt the message. Discussion 6 Page 6 of 6 CS 161 SP 17

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback