Presentation is loading. Please wait.

Presentation is loading. Please wait.

David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 10: Certificates and Hashes.

Published byAshley Little Modified over 8 years ago

Similar presentations

Presentation on theme: "David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 10: Certificates and Hashes."— Presentation transcript:

1 David Evans http://www.cs.virginia.edu/~evans CS588: Security and Privacy University of Virginia Computer Science Lecture 10: Certificates and Hashes

2 1 Oct 2001University of Virginia CS 5882 Menu PS3 –Work with different people from PS2 or your project group –Due Oct 10 Midterm postponed until 24 Oct Public Key Infrastructures (PKI) Hashing

3 1 Oct 2001University of Virginia CS 5883 Key Management Public keys only useful if you know: 1.The public key matches the entity you think it does (and no one else). 2.The entity is trustworthy.

4 1 Oct 2001University of Virginia CS 5884 Approach 1: Public Announcement Publish public keys in a public forum –USENET groups –Append to email messages –New York Time classifieds Easy for rogue to pretend to be someone else

5 1 Oct 2001University of Virginia CS 5885 Approach 2: Public Directory Trusted authority maintains directory mapping names to public keys Entities register public keys with authority in some secure way Authority publishes directory –Print using watermarked paper, special fonts, etc. –Allow secure electronic access

6 1 Oct 2001University of Virginia CS 5886 One Key Electronic access requires directory have key (public/private key pair might work, but how do entities validate public key?) If authority’s key is compromised, everything is vulnerable! –Keep the key locked up well Directory is single point of failure

7 1 Oct 2001University of Virginia CS 5887 Certificates TrustMe.com Alice Bob { alice@alice.org, KU A } C A = E KR TrustMe [“alice@alice.org”, KU A ] { bob@bob.com, KU B } C B = E KR TrustMe [“bob@bob.com”, KU B ] CBCB CACA Use anything like this?

8 1 Oct 2001University of Virginia CS 5888 Data encrypted using secret key exchanged using some public key associated with some certificate.

9 1 Oct 2001University of Virginia CS 5889

10 1 Oct 2001University of Virginia CS 58810 SSL (Secure Sockets Layer) Client Server Hello KR CA [Server Identity, KU S ] Check Certificate using KU CA Pick random K KU S [K] Find K using KR S Secure channel using K

11 1 Oct 2001University of Virginia CS 58811 Certificates TrustMe.com Alice Bob { alice@alice.org, KU A } C A = E KR TrustMe [“alice@alice.org”, KU A ] { bob@bob.com, KU B } C B = E KR TrustMe [“bob@bob.com”, KU B ] CBCB CACA How does TrustMe.com decide whether to provide Certificate?

12 1 Oct 2001University of Virginia CS 58812 TrustMe.com Alice Bob { alice@alice.org, KU A } C A = E KR TrustMe [“alice@alice.org”, KU A ] { bob@bob.com, KU B } C B = E KR TrustMe [“bob@bob.com”, KU B ] CBCB CACA Verifying Identities $$$$

13 1 Oct 2001University of Virginia CS 58813 VeriSign’s Certificate Classes Class 1: Individuals Only, No Identity Check –Proves: you are communicating with someone willing to pay VeriSign $14.95 –Except they have a free 60-day trial Class 2: Individuals Only, No longer available –“Confirmation is based upon VeriSign proprietary matching criteria of third-party databases against the information in the application.” –$20/year Class 3: Individuals and Organizations –Require physical appearance before notary –Businesses: “out-of-band” communication, records –~$1000, VeriSign’s liability up to $100,000

14 1 Oct 2001University of Virginia CS 58814

15 1 Oct 2001University of Virginia CS 58815 VerySine.com Alice Bob { alice@alice.org, KU A } C A = E KR TrustMe [“alice@alice.org”, cert id, expiration time, KU A ] CACA Limiting The Damage Checks expiration time > now

16 1 Oct 2001University of Virginia CS 58816

17 1 Oct 2001University of Virginia CS 58817 Revoking Certificates VerySine.com Alice Bob { alice@alice.org, KU A } CACA CACA Send me the CRL … E KR TrustMe [CRL]

18 1 Oct 2001University of Virginia CS 58818 Revoked!

19 1 Oct 2001University of Virginia CS 58819 Web Treasure Hunt Click on “lock” next time when you browse the web Find a certificate with a hierarchy of trust more than one level deep –The CA has a certificate

20 1 Oct 2001University of Virginia CS 58820 PGP (Pretty Good Privacy) Keyring: list of public keys, signed by owner’s private key Alice’s keyring: E KR Alice (, ) Exchanging Keyrings (Web of Trust) –Complete Trust: I trust Alice’s keyring (add the public key pairings to my own keyring) –Partial Trust: I sort of trust Alice, but require confirmation from someone else too (I need to get E KR Cathy ( ) before trusting KU Bob

21 1 Oct 2001University of Virginia CS 58821 Anonymous Quiz

22 1 Oct 2001University of Virginia CS 58822 Using RSA to Encrypt Use 1024-bit modulus (RSA recommends at least 768 bits) Encrypt 1M file –1024 1024-bit messages –To calculate M e requires log 2 e 1024-bit modular multiplies Why does no one use RSA like this? –About 100-1000 times slower than DES –Can speed up encryption by choosing e that is an easy number to multiply by (e.g., 3 or 2 16 + 1) –But, decryption must use non-easy d (around 1024 bits)

23 1 Oct 2001University of Virginia CS 58823 Alternatives Use RSA to establish a shared secret key for symmetric cipher (DES, RC6,...) –Lose external authentication, non- repudiation properties of public-key cryptosystems Sign (encrypt with private key) a hash of the message –A short block that is associated with the message

24 1 Oct 2001University of Virginia CS 58824 Hashing 0 1 2 3 4 5 6 7 8 9 “neanderthal” “dog” H (char s[]) = (s[0] – ‘a’) mod 10 “horse”

25 1 Oct 2001University of Virginia CS 58825 Regular Hash Functions 1.Many-to-one: maps a large number of values to a small number of hash values 2.Even distribution: for typical data sets, P(H(x) = n) = 1/N where N is the number of hash values and n = 0.. N – 1. 3.Efficient: H(x) is easy to compute. How well does H (char s[]) = (s[0] – ‘a’) mod 10 satisfy these properties?

26 1 Oct 2001University of Virginia CS 58826 Cryptographic Hash Functions 4.One-way: for given h, it is hard to find x such that H(x) = h. 5.Collision resistance: Weak collision resistance: given x, it is hard to find y  x such that H(y) = H(x). Strong collision resistance: it is hard to find any x and y  x such that H(y) = H(x).

27 1 Oct 2001University of Virginia CS 58827 Using Hashes Alice wants to send Bob and “I owe you” message. Bob should be able to show the message to a judge to compel Alice to pay up. Bob should not be able to make his own “I owe you” from Alice, or change the contents of the one she sent him.

28 1 Oct 2001University of Virginia CS 58828 IOU Protocol (Attempt 1) Alice Bob MH(M)H(M) Judge MH(M)H(M) Hmmm...Bob can just make up M and H(M)!

29 1 Oct 2001University of Virginia CS 58829 IOU Protocol (Attempt 2) Alice Bob secret key K A M E K A [H(M)] Judge M E K A [H(M)] knows K A Use Diffie-Hellman to establish shared secret K A Can Bob cheat? Can Alice cheat? Yes, send Bob: M, junk. Judge will think Bob cheated!

30 1 Oct 2001University of Virginia CS 58830 IOU Protocol (Attempt 3) Alice Bob {KU A, KR A } M E KR A [H(M)] Judge M E KR A [H(M)] knows KU A Bob can verify H(M) by decrypting, but cannot forge M, E KR A [H(M)] pair without knowing KR A.

31 1 Oct 2001University of Virginia CS 58831 No Collision Resistance Suppose we use: H (char s[]) = (s[0] – ‘a’) mod 10 Alice sends Bob: “I, Alice, owe Bob $2.”, E KR A [H (M)] Bob sends Judge: “I, Alice, owe Bob $2000000000000000.”, E KR A [H (M)] Judge validates E KU A [ E KR A [H (M)]] = H(“I, Alice, owe Bob $2000000000000000.”) and makes Alice pay.

32 1 Oct 2001University of Virginia CS 58832 Weak Collision Resistance Given x, it should be hard to find y  x such that H(y) = H(x). Similar to a block cipher except no need for secret key: –Changing any bit of x should change most of H(x). –The mapping between x and H(x) should be confusing (complex and non-linear).

33 1 Oct 2001University of Virginia CS 58833 A Better Hash Function? H(x) = DES (x, 0) Weak collision resistance? –Given x, it should be hard to find y  x such that H(y) = H(x). –Yes – DES is one-to-one. (These is no such y.) A good hash function? –No, its output is as big as the message!

34 1 Oct 2001University of Virginia CS 58834 What we need: Produce small number of bits (say 64) that depend on the whole message in a confusing, non-linear way. Have we seen anything like this?

35 1 Oct 2001University of Virginia CS 58835 Cipher Block Chaining DES IV K  P1P1 C1C1 DES K  P2P2 C2C2... Use last ciphertext block as hash. Depends on all plaintext blocks. DES K  PnPn CnCn

36 1 Oct 2001University of Virginia CS 58836 Actual Hashing Algorithms Based on cipher block chaining No need for secret key or IV (just use 0) Don’t use DES –Performance –Better to use bigger blocks MD5 [Rivest92] – 512 bit blocks, produces 128-bit hash SHA [NIST95] – 512 bit blocks, 160-bit hash

37 1 Oct 2001University of Virginia CS 58837 Why big hashes? 3DES is (probably) secure with 64-bit blocks, why do secure hash functions need at least 128 bit digests? 64 bits is fine for weak collision resistance, but we need strong collision resistance too.

38 1 Oct 2001University of Virginia CS 58838 Strong Collision Resistance It is hard to find any x and y  x such that H(y) = H(x). Difference from weak: –Attacker gets to choose both x and y, not just y. Scenario: –Suppose Bob gets to write IOU message, send it to Alice, and she signs it.

39 1 Oct 2001University of Virginia CS 58839 Charge Next time: why strong collision resistance is hard Return PS2’s

Download ppt "David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 10: Certificates and Hashes."

Similar presentations

David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 8: Hashing Note: only 3 people.

David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 8: Hashing Note: only 3 people.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 11: Birthday Paradoxes.

David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 11: Birthday Paradoxes.
Cryptography in World War II Jefferson Institute for Lifelong Learning at UVa Spring 2006 David Evans Class 4: Modern Cryptography

Cryptography in World War II Jefferson Institute for Lifelong Learning at UVa Spring 2006 David Evans Class 4: Modern Cryptography
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
Announcements: 1. HW6 due now 2. HW7 posted Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions.

Announcements: 1. HW6 due now 2. HW7 posted Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
EEC-484/584 Computer Networks Lecture 16 Wenbing Zhao

EEC-484/584 Computer Networks Lecture 16 Wenbing Zhao
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
C HAPTER 13 Asymmetric Key Cryptography Slides adapted from Foundations of Security: What Every Programmer Needs To Know by Neil Daswani, Christoph Kern,

C HAPTER 13 Asymmetric Key Cryptography Slides adapted from "Foundations of Security: What Every Programmer Needs To Know" by Neil Daswani, Christoph Kern,
Introduction to Public Key Cryptography

Introduction to Public Key Cryptography
David Evans CS150: Computer Science University of Virginia Computer Science Class 36: Public Key Crypto.

David Evans CS150: Computer Science University of Virginia Computer Science Class 36: Public Key Crypto.
CS5204 – Fall 2009 1 Cryptographic Security Presenter: Hamid Al-Hamadi October 13, 2009.

CS5204 – Fall Cryptographic Security Presenter: Hamid Al-Hamadi October 13, 2009.

Similar presentations

Ads by Google