Presentation is loading. Please wait.

Presentation is loading. Please wait.

Intrusion Resilience via the Bounded-Storage Model Stefan Dziembowski Warsaw University and CNR Pisa.

Published byCora Howard Modified over 7 years ago

Similar presentations

Presentation on theme: "Intrusion Resilience via the Bounded-Storage Model Stefan Dziembowski Warsaw University and CNR Pisa."— Presentation transcript:

1 Intrusion Resilience via the Bounded-Storage Model Stefan Dziembowski Warsaw University and CNR Pisa

2

3 Setup: K Kauthenticates with K installs a virus the user can impersonate the user! the bank

4 Question Can cryptography prevent such an attack?

5 Can we prevent this attack? If we have a trusted hardware then this attack is preventable. This hardware can be e.g.:  a token  a list of one-time passwords Note that the human-memorized passwords don’t help (because the virus can record the key-strokes).

6 Assume there is no trusted hardware (trusted hardware costs and is not easy to use) Can we have any security in this case? Looks quite hopeless... (If the adversary can take control over our machine, than he can do whatever he wants.)

7 Our goal We propose a cheap method that makes the task of the adversary significantly harder. Caution: our method does not guarantee super-high levels of security. However in many cases it may be worth using.

8 Our contribution Idea: Make the secret key K so large that the adversary cannot retrieve it. We consider  entity-authentication  session-key generation

9 We assume that  the secret key K is stored on a machine which can be infected by a virus  the virus can perform an arbitrary computation on K, but the output of this computation U is shorter than K:  she can retrieve U.  (this looks similar to the Bounded-Storage Model!) The model (1/3)

10 The model (2/3) As long as the machine is infected, the virus has a full controll over it. We want to have security in the periods when the virus is not controlling the machine: This is what we call: intrusion resilience. We assume that the virus cannot modify the data on the machine.

11 The model (3/3) What else can the adversary do? She can perform active attacks: eavesdrop, substitute and fabricate messages.

12 Plan 1. Introduction 2. Introduction to the Bounded- Storage Model 3. Entity Authentication 4. Session-Key Generation 5. Practicality?

13 The Bounded-Storage Model (BSM) can perform any computation on R, but the result U=h(R) has to be much smaller than R short initial key Y X = f(R,Y) 000110100111010010011010111001110111 111010011101010101010010010100111100 001001111111100010101001000101010010 001010010100101011010101001010010101 randomizer R: knows: U=h(R) randomizer disappears X ?

14 BSM – previous results Several key-expansion functions f were proven secure [DR02, DM04b, Lu04, Vad04]. Of course their security depends on the bound on the memory of the adversary. We call a function s-secure if it is secure against an adversary that has memory of a size s.

15 The scheme of [DM02] 0111001000 01110 1 000 100001110 0111100000 0111001000 100 01010 010 100 100 1101100000100 00 0011 1 01 00 1000 0110 10 10 0 XOR 1000 The derived key X

16 Entity authentication – the problem Alice knows the public key of the bank the bank the user can verify the authenticity of the bank the bank cannot verify the authenticity of the user How can the bank verify the authenticity of the user? We solve the following problem: C

17 Entity authentication – the solution random Y key K = R: 000110100111010010011010111001110111 111010011101010101010010010100111100 001001111111100010101001000101010010 001010010100101011010101001010010101 X = f(R,Y) verifies The communication is done via the channel C.

18 Security of the entity authentication protocol (1/3) Clearly as long as the adversary is controlling Alice’s machine, she can impersonate her. But what happens when the adversary looses control on the user’s machine?

19 Security of the entity authentication protocol (2/3)

20 Security of the entity authentication protocol (3/3) What about the active attacks? Since the communication is done via the channel C, the only thing that the adversary can do is to “act as a wire”.

21 Session-key generation The entity authentication protocols without key generation are often not very useful. It is much more practical to have a session-key generation protocol.

22 The session-key generation Alice Bob long-term key K...

23 Intrusion-resilient session-key generation Clearly leaks to the adversary. compromised sessions non-compromised sessions compromised sessions – when adversary installed a virus on the machine of at least one of the users We want the keys generated in non-compromised sessions to remain secret! time

24 Intrusion resilience = backward + forward security

25 Forward-secure session-key generation (standard method) long term key: key K for a MAC ( Encr,Decr ) – a public key encryption scheme generates a random key (e,d) for the public key encryption e,MAC(K,e) generates a random key Z C = Encr(e,Z), MAC(K,C) decrypts Z from C Z erases d

26 Our protocol Outline:  We achieve forward security in a standard way.  Only the backward security is novel. Challenge: How to generate the key K (for authentication) in a backward-secure way?

27 A (slightly wrong) idea

28 Security

29 Security – proof attempt (1/2)

30 Security – a proof attempt (2/2)

31 How the adversary can influence the outcome of the protocol 0111001000 01110 1 000 100001110 0111100000 0111001000 100 01010 010 100 100 1101100000100

32 Repairing the protocol How to repair the protocol? Our idea: add hashing

33 Other variants (1/2) Once we assumed the Random Oracle Model we can try to build f using the hash function. 0111100000100 Suppose f’(R,Y) just selects n bits from R (Y describes which bits) R:R: f’(R,Y):

34 Other variants (2/2) If we set f(R,Y) := H(f’(R,Y)) then the output of f(R,Y) is entirely uniform (unless we guessed f’(R,Y)). Therefore it is enough to show that the adversary cannot guess f’(R,Y) if she knows just h(R).

35 Improvements The Random Oracle Assumption was removed in Cash et al. [Cryptology ePrint Archive: Report 2005/409]. They also introduce the name Limited Communication Model.

36 Example The function f of [DM02] was proven secure when the memory of the adversary has a size of around 8% of the length of the randomizer. In our case the players need to store 2 randomizers, so the protocol is secure if the adversary cannot retrieve 4% of the key. Example: if |K| = 5 GB, then we can allow her to retrieve 200 MB. This can probably be improved significantly...

37 Practicality? The model has some obvious weaknesses (the intruder can impersonate the user, during the attack). Nevertheless it may find some applications as it is very cheap and very easy to use. Also note: the trusted server can generate the key pseudo-randomly and just store the seed. Example: remote login authentication at the university servers.

Download ppt "Intrusion Resilience via the Bounded-Storage Model Stefan Dziembowski Warsaw University and CNR Pisa."

Similar presentations

1 東南技術學院九十二學年度第二學期 資工系第一次論文發表會 Analysis of an Improved Version of S/KEY One-Time Password Authentication Scheme Speaker: Maw-Jinn Tsaur 2004.05.12.

1 東南技術學院九十二學年度第二學期 資工系第一次論文發表會 Analysis of an Improved Version of S/KEY One-Time Password Authentication Scheme Speaker: Maw-Jinn Tsaur
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.

1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Implementation of a Two-way Authentication Protocol Using Shared Key with Hash CS265 Sec. 2 David Wang.

Implementation of a Two-way Authentication Protocol Using Shared Key with Hash CS265 Sec. 2 David Wang.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Chapter 9 Overview of Authentication System

Chapter 9 Overview of Authentication System
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.

On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
Strong Password Protocols

Strong Password Protocols
8. Data Integrity Techniques

8. Data Integrity Techniques
Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.

Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.

14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
Cryptography on Non-Trusted Machines Stefan Dziembowski.

Cryptography on Non-Trusted Machines Stefan Dziembowski.
Lecture 11: Strong Passwords

Lecture 11: Strong Passwords
CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.

CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.

Similar presentations

Ads by Google