Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Similar documents
Identification Schemes

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Fall 2010/Lecture 32 1

Information Security CS 526

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Session key establishment protocols

Session key establishment protocols

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Cryptography and Network Security Chapter 14

Acknowledgments. CSE565: Computer Security Lectures 16 & 17 Authentication & Applications

Key Agreement Schemes

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Lecture 2 Applied Cryptography (Part 2)

Spring 2010: CS419 Computer Security

T Cryptography and Data Security

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Authentication in Distributed Systems

Key Management and Distribution

UNIT - IV Cryptographic Hash Function 31.1

ICS 180 May 4th, Guest Lecturer: Einar Mykletun

Cryptography and Network Security

Chapter 9: Key Management

Public-key Cryptography: Theory and Practice

10/1/2015. Authentication. Outline. Authentication. Authentication Mechanisms. Authentication Mechanisms. Authentication Mechanisms

CSC/ECE 774 Advanced Network Security

Public-Key Infrastructure NETS E2008

CS Computer Networks 1: Authentication

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Lecture 15 PKI & Authenticated Key Exchange. COSC-260 Codes and Ciphers Adam O Neill Adapted from

Cryptographic Protocols 1

Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena

1. Diffie-Hellman Key Exchange

CT30A8800 Secured communications

User Authentication. Modified By: Dr. Ramzi Saifan

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

X.509. CPSC 457/557 10/17/13 Jeffrey Zhu

CSE 565 Computer Security Fall 2018

CIS 4360 Secure Computer Systems Applied Cryptography

Overview. SSL Cryptography Overview CHAPTER 1

Lecture 30. Cryptography. Symmetric Key Cryptography. Key Exchange. Advanced Encryption Standard (AES) DES. Security April 11, 2005

ECE 646 Lecture 3. Key management

Public Key Algorithms

Crypto meets Web Security: Certificates and SSL/TLS

CSC 774 Network Security

CSC 5930/9010 Modern Cryptography: Public-Key Infrastructure

Key Management and Distribution

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Key Agreement. Guilin Wang. School of Computer Science, University of Birmingham

Chapter 8. Network Security. Cryptography. Need for Security. An Introduction to Cryptography 10/7/2010

Security Handshake Pitfalls

Key Management and Distribution

CSC 482/582: Computer Security. Security Protocols

Authentication and Key Distribution

CIS 6930/4930 Computer and Network Security. Topic 6.2 Authentication Protocols

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to share so many secrets?!?

Authentication Handshakes

Auth. Key Exchange. Dan Boneh

Datasäkerhetsmetoder föreläsning 7

Diffie-Hellman. Part 1 Cryptography 136

Cryptography and Network Security Chapter 10. Fourth Edition by William Stallings

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

Lecture 15 Public Key Distribution (certification)

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Chapter 8. Network Security. Need for Security. An Introduction to Cryptography. Transposition Ciphers One-Time Pads

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Outline. Login w/ Shared Secret: Variant 1. Login With Shared Secret: Variant 2. Login Only Authentication (One Way) Mutual Authentication

CSC 474/574 Information Systems Security

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Cryptology Part 1. Terminology. Basic Approaches to Cryptography. Basic Approaches to Cryptography: (1) Transposition (continued)

Key management. Required Reading. Stallings, Cryptography and Network Security: Principles and Practice, 5/E or 6/E

CS 494/594 Computer and Network Security

Network Security Chapter 8

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

CS 161 Computer Security

Security Handshake Pitfalls

Lecture 13. Public Key Distribution (certification) PK-based Needham-Schroeder TTP. 3. [N a, A] PKb 6. [N a, N b ] PKa. 7.

Computer Security 3e. Dieter Gollmann. Chapter 15: 1

Cryptography and Network Security

Cryptography (Overview)

Introduction to Network Security Missouri S&T University CPE 5420 Key Management and Distribution

Key management. Pretty Good Privacy

Real-time protocol. Chapter 16: Real-Time Communication Security

User Authentication Protocols

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

CS3235 Seventh set of lecture slides

Authenticating People and Machines over Insecure Networks

Kurose & Ross, Chapters (5 th ed.)

Topics. Dramatis Personae Cathy, the Computer, trusted 3 rd party. Cryptographic Protocols

Cryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea

1.264 Lecture 28. Cryptography: Asymmetric keys

Overview. Cryptographic key infrastructure Certificates. May 13, 2004 ECS 235 Slide #1. Notation

(2½ hours) Total Marks: 75

CS530 Authentication

Chapter 9. Public Key Cryptography, RSA And Key Management

Using Cryptography CMSC 414. October 16, 2017

Lecture 1: Course Introduction

User Authentication Protocols Week 7

Lecture 6.2: Protocols - Authentication and Key Exchange II. CS 436/636/736 Spring Nitesh Saxena. Course Admin

Encryption. INST 346, Section 0201 April 3, 2018

Transcription:

CS355: Cryptography Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Public Keys and Trust Public Key:P A Secret key: S A Public Key:P B Secret key: S B How are public keys stored How to obtain the public key? How does Bob know or trusts that P A is Alice s public key? 2

Distribution of Public Keys Public announcement: users distribute public keys to recipients or broadcast to community at large Publicly available directory: can obtain greater security by registering keys with a public directory Both approaches have problems, and are vulnerable to forgeries 3

X.509 Authentication Service Part of X.500 directory service standards. Defines framework for authentication services: Defines that public keys stored as certificates in a public directory. Certificates are issued and signed by an entity called certification authority (CA). Used by numerous applications and protocols: SSL, IPSec. Started 1988 4

Public-Key Certificates Certificates allow key exchange without real-time access to public-key authority A certificate binds identity to public key Contents signed by a trusted Public-Key or Certificate Authority (CA) Can be verified by anyone who knows the public-key authorities public-key A commonly used standard to store certificates is PEM. 5

X.509 Certificates Certificates contain: version (1, 2, or 3) serial number (unique within CA) identifying certificate signature algorithm identifier issuer X.500 name (CA) period of validity (from - to dates) subject X.500 name (name of owner) subject public-key info (algorithm, parameters, key) issuer unique identifier (v2+) subject unique identifier (v2+) extension fields (v3) signature (of hash of all fields in certificate) 6

How to Obtain a Certificate? For a particular application you can define your own CA (libraries like openssl provide the necessary tools) Many companies define their own CA. Verisign: company that provides certificates; commercial companies obtain certificates; Private key remains secret and certificate must be accessible. Example: see certificates accepted by your browser, if you use netscape: preferences/ security and privacy/certificates 7

Validity of Certificates Certificates are valid if: Signature of CA verifies Dates of the certificate are valid Certificate was not revoked Certificates can be revoked before expiration if user's private key is compromised user is no longer certified by this CA CA's certificate is compromised CA maintains a list of revoked certificates: Certificate Revocation List (CRL) Users should check certificates with CA s CRL 8

CA Hierarchy If everybody has the same CA then they are assumed to know its public key, so they can verify each other s certificate. Not scalable. Other approach: entities have different CAs; in this case CAs how is a certificate verified? CAs must form a hierarchy certificates linking members of hierarchy are used to validate other CAs each CA has certificates for clients (forward) and parent (backward) each client trusts parents certificates 9

CAs and Trust Certificates are trusted if signature of CA verifies Chain of CA s can be formed, head CA is called root CA In order to verify the signature, in the end the public key of the root CA should be obtain. When is that valid? You just trust the root CA. TRUST is CENTRALIZED (one CA) or HIERARCHICAL (more CAs.) 10

Problems with X509 Management of certificates Assumptions about validity of certificates: detection of secret key disclosure time delay for certificate revocation time delay for distribution of revoked certificates amount of data distributed periodically by CA 11

Problems with X509 (2) CRLs have several problems Protocols must check CRLs to make sure that the certificate is still valid In practice protocols do not really check CRLs, delay between revocation and detection of revocation CRL is not suitable for time-critical applications time-validity of CRL is typically 24 hours Validity of certificates is usually years 12

Detection of Secret Key Disclosure Time between disclosure and detection may be in hours or days, time needed for abuse may be counted in milliseconds Owner is responsible for private key usage until requesting CA to revoke appropriate certificate There is no trusted way to identify place or time of signature creation 13

PGP PGP (Pretty Good Privacy) is a secure email application Mail is encrypted and signed using public keys What s different? The way the keys are authenticated, trust about the keys is built. Trust is not centralized. http://www.pgpi.org/ 14

Trust Models Direct Trust Hierarchical trust Web of trust: combination of both 15

PGP Web of Trust Any user can act as a CA Certificate is only valid if the receiving party recognize the validator as a trusted introducer Each user stores: Its own public/private keys Keys of entities that interacts with whether or not the user considers a particular key to be valid the level of trust the user places on the key that the key's owner can serve as certifier of others' keys 16

Problems Key revocation of a key, a user needs to issue a revoked certificate and then distribute it as broad as possible. Does not scale for large, open communities Does not really accomodate for more formalised security needs, for instance for non-repudiation purposes towards a third party 17

Authentication Entity authentication (identification): the process whereby one party is assured of the identity of a second party involved in a protocol an that the second has actually participated. Data source authentication: represents an indication about the source of the data. 18

Requirements of Identification Protocols Requirements of identification protocols for honest prover A and verifier B, A is able to convince B no other party can convince B in particular, B cannot convince C that it is A Kinds of attackers passive and replay active, man in the middle the verifier 19

Properties of Identification Protocols Reciprocity of identification (one -way or mutual) Computational efficiency (encryption, signing) Communication efficiency (communication rounds, messages) Involvement of a third party Nature of trust in the third party Storage of secrets 20

Authentication Using Fixed Passwords Client authenticates to a server using a password. Passwords must be kept in encrypted password files or as digests Strengthen passwords by salting Passphrases, more complex passwords Attacks: Replay of fixed passwords Exhaustive password search Password-guessing and dictionary attacks 21

Unix crypt Algorithm Used to store Unix passwords Information stored is /etc/passwd is: Iterated DES encryption of 0 (64 bits), using the first 8 characters of the password as key 12 bit random salt taken from the system clock time at the password creation Why use the salt: to alter the expansion function E of DES, to defend against attacks on DES using off-the-shelf hardware that can crack DES 22

Lamport s One-Time Password Stronger authentication that password-based One-time setup: A selects a value w, a hash function H(), and an integer t, computes w 0 = H t (w) and sends w 0 to B B stores w 0 Protocol: to identify to B for the i th time, 1 i t A sends to B: A, i, w i = H t-i (w) B checks i = i A, H(w i ) = w i-1 if both holds, i A = i A +1 23

Challenge-Response Protocols Goal: one entity authenticates to other entity proving the knowledge of a secret, challenge Time-variant parameters used to prevent replay, interleaving attacks, provide uniqueness and timeliness : nounce (used only once) Three types: Random numbers Sequences Timestamp 24

Challenge-Response Protocols Random numbers: pseudo-random numbers that are unpredictable to an adversary; vulnerable to birthday attacks, use larger sample; must maintain state; do not prevent interleaving attacks (parallel sessions) Sequences: serial number or counters; long-term state information must be maintained by both parties+ synchronization Timestamp: provides timeliness and detects forced delays; requires synchronized clocks 25

Challenge-Response Protocols Using Digital Signatures unilateral authentication with timestamp A B: cert A, t A, B, S A (t A, B) unilateral authentication with random numbers A B: r B A B: cert A, r A, B, S A (r A, r B, B) mutual authentication with random numbers A B: r B A B: cert A, r A, B, S A (r A, r B, B) A B: cert B, A, S B (r B, r A, A) 26

Attacks: Examples E1: Man-in-the-middle attack on unauthenticated DH E2: Reflection attack Protocol: A and B authenticate to each other (1) A B : r A (2) B A : E k (r A, r B ) (3) A B : r B Attack: E wants to trick A to accept him as B (1) A E : r A (2) E A : r A : Starting a new session (3) A E : E k (r A, r A ) : Reply of (2) (4) E A : E k (r A, r A ) : Reply of (1) (5) A E : r A ; this concludes session started with (1) AUTHENTICATION RELIES ON THE SECRECY OF KEY K 27

Attacks: Examples (cont.) E3: Interleaving attacks (parallel sessions) Protocol (1) A B : r A (2) B A : r B, S B (r B, r A, A) (3) A B : r A, S A (r A, r B, B) Attack: E wants to pass as A to B (1) E B : r A (2) B E : r B, S B (r B, r A, A) (3) E A : r B (4) A E : r A, S A (r A, r B, B) (5) E B : r A, S A (r A, r B, B) 28

Need for Key Establishment Encrypt K (M) C = Encrypt K (M) M = Decrypt K (C) Alice and Bob share a secret key K How to establish the shared key? How to refresh it (not a good idea to encrypt a lot of data with the same key) 29

Long-Term Key vs. Session Key Session key: temporary key, used for a short time period. Long-term key: used for a long term period, sometimes public and secret key pairs used to sign messages. Using session keys to: limit available cipher-text encrypted with the same key limit exposure in the event of key compromise avoid long-term storage of a large number of distinct secret keys create independence across communications sessions or applications 30

Key Establishment Key pre-distribution: keys are distributed off-line Dynamic shared key establishment: protocols that define on-line key establishment Key establishment: process to establish a shared secret key available to two or more parties; key transport: one party creates, and securely transfers it to the other(s). key agreement: key establishment technique in which a shared secret is derived by two (or more) parties 31

Issues in Key Establishment Need and type of the authentication: unilateral vs. mutual Key control: key distribution vs. key agreement Efficiency: communication (number of message and communication rounds) and computation (exponentiations and digital signatures) costs Two ways to achieve: using symmetric encryption using public key encryption Use of trusted third party (TTP): on-line/off-line/no third party degree of trust required in a third party 32

Basic Key Transport Protocol Assumes a long term symmetric key K shared between A and B Basic: new key is k A A B: E K (k A ) Prevents replay: new key is r A A B: E K (k A, t A, B) 33

Needham-Schroeder Public Key Protocol P B (k 1, A) P A (k1, k2) P B (k 2 ) P A and P B denote public keys; A and B distribute keys k 1 and k 2 P B (k 1, A, r 1 ) P A (k 2, r 1, r 2 ) r 2 34

Key Transport: Combining Public Key Encryption and Digital Signature Encrypting signed keys: A B: P B (k, t A, S A (B, k, t A )) Problem: Data for encryption is too large Encrypting and signing separately A B: P B (k, t A ), S A (B, k, t A ) Acceptable only if no information regarding plaintext data can be deduced from the signature Signing encrypted keys A B: t A, P B (A, k), S A (B, t A, P B (A, k)) Can provide mutual authentication with two messages(timestamps) or three messages(challenge-response) 35

Key Agreement: Diffie-Hellman Protocol Key agreement protocol, both A and B contribute to the key Setup Z n, n prime and g generator, n and g public. g a mod n g b mod n Pick random, secret a Compute and send g a mod n K = (g b mod n) a = g ab mod n Pick random, secret b Compute and send g b mod n K = (g a mod n) b = g ab mod n 36

Station-to-Station (STS) g a mod n g c mod n g c mod n g b mod n Alice computes g ac mod n and Bob computes g bc mod n!!! Provides mutual entity authentication g x mod p g y mod p, E k (Sign B (g y, g x )) E k (Sign A (g x, g y )) 37

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback