Presentation is loading. Please wait.

Presentation is loading. Please wait.

Courtesy of Professors Chris Clifton & Matt Bishop INFSCI 2935: Introduction of Computer Security1 October 9, 2003 Introduction to Computer Security Lecture.

Published byTrevin Rayson Modified over 10 years ago

Similar presentations

Presentation on theme: "Courtesy of Professors Chris Clifton & Matt Bishop INFSCI 2935: Introduction of Computer Security1 October 9, 2003 Introduction to Computer Security Lecture."— Presentation transcript:

1 Courtesy of Professors Chris Clifton & Matt Bishop INFSCI 2935: Introduction of Computer Security1 October 9, 2003 Introduction to Computer Security Lecture 7 Digital Signature

2 INFSCI 2935: Introduction to Computer Security2 Digital Signature Construct that authenticates origin, contents of message in a manner provable to a disinterested third party (judge) Construct that authenticates origin, contents of message in a manner provable to a disinterested third party (judge) Sender cannot deny having sent message (service is nonrepudiation) Sender cannot deny having sent message (service is nonrepudiation) Limited to technical proofs Inability to deny ones cryptographic key was used to sign One could claim the cryptographic key was stolen or compromised Legal proofs, etc., probably required;

3 INFSCI 2935: Introduction to Computer Security3 Common Error Classical: Alice, Bob share key k Classical: Alice, Bob share key k Alice sends m || { m }k to Bob Does this satisfy the requirement for message authentication? How? Does this satisfy the requirement for a digital signature? This is not a digital signature This is not a digital signature Why? Third party cannot determine whether Alice or Bob generated message

4 INFSCI 2935: Introduction to Computer Security4 Classical Digital Signatures Require trusted third party Require trusted third party Alice, Bob each share keys with trusted party Cathy The judge must trust the trusted party Cathy The judge must trust the trusted party Cathy To resolve dispute, judge gets { m }k Alice, { m }k Bob, and has Cathy decipher them; if messages matched, contract was signed, else one is a forgery To resolve dispute, judge gets { m }k Alice, { m }k Bob, and has Cathy decipher them; if messages matched, contract was signed, else one is a forgery Alice Bob Cathy Bob { m }k Alice { m }k Bob

5 INFSCI 2935: Introduction to Computer Security5 Public Key Digital Signatures (RSA) Alices keys are d Alice, e Alice Alices keys are d Alice, e Alice Alice sends Bob Alice sends Bob m || { m }d Alice In case of dispute, judge computes In case of dispute, judge computes { { m }d Alice }e Alice and if it is m, Alice signed message and if it is m, Alice signed message Shes the only one who knows d Alice !

6 INFSCI 2935: Introduction to Computer Security6 RSA Digital Signatures Use private key to encipher message Use private key to encipher message Protocol for use is critical Key points: Key points: Never sign random documents, and when signing, always sign hash and never document Mathematical properties can be turned against signer Sign message first, then encipher Changing public keys causes forgery

7 INFSCI 2935: Introduction to Computer Security7 Attack #1 Example: Alice, Bob communicating Example: Alice, Bob communicating n A = 95, e A = 59, d A = 11 n B = 77, e B = 53, d B = 17 26 contracts, numbered 00 to 25 26 contracts, numbered 00 to 25 Alice has Bob sign 05 and 17: c = m d B mod n B = 05 17 mod 77 = 3 c = m d B mod n B = 17 17 mod 77 = 19 Alice computes 05 17 mod 77 = 08; corresponding signature is 03 19 mod 77 = 57; claims Bob signed 08 Note: [(a mod n) × (b mod n)] mod n = (a × b) mod n Judge computes c e B mod n B = 57 53 mod 77 = 08 Signature validated; Bob is toast!

8 INFSCI 2935: Introduction to Computer Security8 Attack #2: Bobs Revenge Bob, Alice agree to sign contract 06 Bob, Alice agree to sign contract 06 Alice enciphers, then signs: Alice enciphers, then signs: Enciper: c = m e B mod n B = (06 53 mod 77) 11 Sign: c d A mod n A = (06 53 mod 77) 11 mod 95 = 63 Bob now changes his public key Bob now changes his public key Bob wants to claim that Alice singed N (13) Computes r such that 13 r mod 77 = 6; say, r = 59 Computes r.e B mod (n B ) = 59 53 mod 60 = 7 Replace public key e B with 7, private key d B = 43 Bob claims contract was 13. Judge computes: Bob claims contract was 13. Judge computes: (63 59 mod 95) 43 mod 77 = 13 Verified; now Alice is toast Solution: sign first and then enciher!! Solution: sign first and then enciher!!

9 INFSCI 2935: Introduction to Computer Security9 El Gamal Digital Signature Relies on discrete log problem Relies on discrete log problem Choose p prime, g, d < p; Choose p prime, g, d < p; Compute y = g d mod p Compute y = g d mod p Public key: (y, g, p); private key: d Public key: (y, g, p); private key: d To sign contract m: To sign contract m: Choose k relatively prime to p–1, and not yet used Compute a = g k mod p Find b such that m = (da + kb) mod p–1 Signature is (a, b) To validate, check that To validate, check that y a a b mod p = g m mod p

10 INFSCI 2935: Introduction to Computer Security10 Example Alice chooses p = 29, g = 3, d = 6 Alice chooses p = 29, g = 3, d = 6 y = 3 6 mod 29 = 4 Alice wants to send Bob signed contract 23 Alice wants to send Bob signed contract 23 Chooses k = 5 (relatively prime to 28) This gives a = g k mod p = 3 5 mod 29 = 11 Then solving 23 = (6 11 + 5b) mod 28 gives b = 25 Alice sends message 23 and signature (11, 25) Bob verifies signature: g m mod p = 3 23 mod 29 = 8 and y a a b mod p = 4 11 11 25 mod 29 = 8 Bob verifies signature: g m mod p = 3 23 mod 29 = 8 and y a a b mod p = 4 11 11 25 mod 29 = 8 They match, so Alice signed

11 INFSCI 2935: Introduction to Computer Security11 Attack Eve learns k, corresponding message m, and signature (a, b) Eve learns k, corresponding message m, and signature (a, b) Extended Euclidean Algorithm gives d, the private key Example from above: Eve learned Alice signed last message with k = 5 Example from above: Eve learned Alice signed last message with k = 5 m = (da + kb) mod p–1 = 23 =(11d + 5 25) mod 28 So Alices private key is d = 6

12 INFSCI 2935: Introduction to Computer Security12 Kerberos Authentication system Authentication system Based on Needham-Schroeder with Denning-Sacco modification Central server plays role of trusted third party (Cathy) Ticket (credential) Ticket (credential) Issuer vouches for identity of requester of service Authenticator Authenticator Identifies sender Alice must Alice must 1.Authenticate herself to the system 2.Obtain ticket to use server S

13 INFSCI 2935: Introduction to Computer Security13 Overview User u authenticates to Kerberos server User u authenticates to Kerberos server Obtains ticket T u,TGS for ticket granting service (TGS) User u wants to use service s: User u wants to use service s: User sends authenticator A u, ticket T u,TGS to TGS asking for ticket for service TGS sends ticket T u,s to user User sends A u, T u,s to server as request to use s Details follow Details follow

14 INFSCI 2935: Introduction to Computer Security14 Ticket Credential saying issuer has identified ticket requester Credential saying issuer has identified ticket requester Example ticket issued to user u for service s Example ticket issued to user u for service s T u,s = s || { u || us address || valid time || k u,s } k s where: k u,s is session key for user and service Valid time is interval for which the ticket is valid us address may be IP address or something else Note: more fields, but not relevant here

15 INFSCI 2935: Introduction to Computer Security15 Authenticator Credential containing identity of sender of ticket Credential containing identity of sender of ticket Used to confirm sender is entity to which ticket was issued Example: authenticator user u generates for service s Example: authenticator user u generates for service s A u,s = { u || generation time || k t } k u,s where: k t is alternate session key Generation time is when authenticator generated Note: more fields, not relevant here

16 INFSCI 2935: Introduction to Computer Security16 Protocol userCathy user || TGS Cathyuser { k u,TGS } k u || T u,TGS userTGS service || A u,TGS || T u,TGS userTGS user || { k u,s } k u,TGS || T u,s userservice A u,s || T u,s userservice { t + 1 } k u,s

17 INFSCI 2935: Introduction to Computer Security17 Analysis First two steps get user ticket to use TGS First two steps get user ticket to use TGS User u can obtain session key only if u knows key shared with Cathy Next four steps show how u gets and uses ticket for service s Next four steps show how u gets and uses ticket for service s Service s validates request by checking sender (using A u,s ) is same as entity ticket issued to Step 6 optional; used when u requests confirmation

18 INFSCI 2935: Introduction to Computer Security18 Problems Relies on synchronized clocks Relies on synchronized clocks If not synchronized and old tickets, authenticators not cached, replay is possible Tickets have some fixed fields Tickets have some fixed fields Dictionary attacks possible Kerberos 4 session keys weak (had much less than 56 bits of randomness); researchers at Purdue found them from tickets in minutes

19 Courtesy of Professors Chris Clifton & Matt Bishop INFSCI 2935: Introduction of Computer Security19 Midterm

20 INFSCI 2935: Introduction to Computer Security20 Midterm Midterm date: October 16, 2003 Midterm date: October 16, 2003 Duration:2:30 minutes Duration:2:30 minutes Coverage:Material till today Coverage:Material till today Closed Book:Yes Closed Book:Yes

21 INFSCI 2935: Introduction to Computer Security21 Roughly speaking Chapter 1, 2, 4:20% Chapter 1, 2, 4:20% Chapter 3:20% Chapter 3:20% Chapter 5, 6, 7:35% Chapter 5, 6, 7:35% Chapter 9 and 10:25% Chapter 9 and 10:25% May vary slightly!! May vary slightly!!

22 INFSCI 2935: Introduction to Computer Security22 Chapter 1 Understand the general concepts/issues Understand the general concepts/issues Components of security: confidentiality, integrity, availability, etc. Threats Policy vs. mechanisms Assumptions of trust Assurance Specification/design/implementation Operational issues Cost-benefit; risk analysis; Human issues, etc. Organizational problems Security life cycle

23 INFSCI 2935: Introduction to Computer Security23 Chapter 2 Understand that access control matrix is an abstract model Understand that access control matrix is an abstract model Understand the notation of state transitions Understand the notation of state transitions Formal definitions of primitive commands Formal definitions of primitive commands Structure of conditional commands Structure of conditional commands Principle of attenuation of privilege Principle of attenuation of privilege

24 INFSCI 2935: Introduction to Computer Security24 Chapter 3 Understand the working of Turing machine and the mapping Understand the working of Turing machine and the mapping Take-grant model Take-grant model Understand the concepts well Witness Sharing Stealing/conspiracy No need to remember definitions (e.g., initial/terminal spans, bridges etc.) SPM model SPM model Understand link/f, cc, cr functions well Understand the examples well

25 INFSCI 2935: Introduction to Computer Security25 Chapter 4 Policy definitions Policy definitions Types of access control Types of access control Policy language (Pandey & Hashii) Policy language (Pandey & Hashii) Security and precision Security and precision Observability postulate Secure and precise mechanism Understand the definitions – no need to memorize (they will be provided if needed)

26 INFSCI 2935: Introduction to Computer Security26 Chapter 5, 6 and 7 Confidentiality: Bell-LaPadula model [5] Confidentiality: Bell-LaPadula model [5] Security levels, categories, dominates relation Not the formal model Integrity policies Integrity policies Bibas integrity models Lipners integrity model Clark-wilson model Hybrid policies Hybrid policies Chinese wall (informal) Clinical and originator control (understand the basic requirements) Role-based access control (NIST)

27 INFSCI 2935: Introduction to Computer Security27 Chapter 9 Classical crypto systems Classical crypto systems Transposition ciphers Substitution ciphers (caesar cipher) Vigenere cipher One-time pad Data Encryption Standard (DES) General working of DES Cipher Block Chaining mode Public-key Diffie-hellman RSA Cryptographic checkcsum

28 INFSCI 2935: Introduction to Computer Security28 Chapter 10 Classical cryptographic key exchange and authentication Classical cryptographic key exchange and authentication Basic protocol Needham-Schroeder Denning and Sacco Otway-Rees protocol Kerberos Digital Signature

Download ppt "Courtesy of Professors Chris Clifton & Matt Bishop INFSCI 2935: Introduction of Computer Security1 October 9, 2003 Introduction to Computer Security Lecture."

Similar presentations

The Diffie-Hellman Algorithm

The Diffie-Hellman Algorithm
1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.

1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.
Public Key Cryptosystem

Public Key Cryptosystem
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 6. Security in Mobile Ad-Hoc Networks.

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 6. Security in Mobile Ad-Hoc Networks.
AUTHENTICATION AND KEY DISTRIBUTION

AUTHENTICATION AND KEY DISTRIBUTION
Chapter 10 Real world security protocols

Chapter 10 Real world security protocols
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Kerberos and X.509 Fourth Edition by William Stallings

Kerberos and X.509 Fourth Edition by William Stallings
CSCE 815 Network Security Lecture 10 KerberosX.509 February 13, 2003.

CSCE 815 Network Security Lecture 10 KerberosX.509 February 13, 2003.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Computer Science Dr. Peng NingCSC 774 Advanced Network Security1 Topic 3.1: NetBill.

Computer Science Dr. Peng NingCSC 774 Advanced Network Security1 Topic 3.1: NetBill.
DIGITAL SIGNATURES and AUTHENTICATION PROTOCOLS - Chapter 13

DIGITAL SIGNATURES and AUTHENTICATION PROTOCOLS - Chapter 13
DIGITAL SIGNATURES and AUTHENTICATION PROTOCOLS - Chapter 13 DIGITAL SIGNATURES and AUTHENTICATION PROTOCOLS - Chapter 13 Digital Signatures Authentication.

DIGITAL SIGNATURES and AUTHENTICATION PROTOCOLS - Chapter 13 DIGITAL SIGNATURES and AUTHENTICATION PROTOCOLS - Chapter 13 Digital Signatures Authentication.
Chapter 10: Key Management

Chapter 10: Key Management
Public Key Encryptions CS461/ECE422 Fall 2011. Reading Material Text Chapters 2 and 20 Handbook of Applied Cryptography, Chapter 8 –

Public Key Encryptions CS461/ECE422 Fall Reading Material Text Chapters 2 and 20 Handbook of Applied Cryptography, Chapter 8 –
Public Key Cryptography INFSCI 1075: Network Security – Spring 2013 Amir Masoumzadeh.

Public Key Cryptography INFSCI 1075: Network Security – Spring 2013 Amir Masoumzadeh.
30.1 Chapter 30 Cryptography Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

30.1 Chapter 30 Cryptography Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Off-the-Record Communication, or, Why Not To Use PGP

Off-the-Record Communication, or, Why Not To Use PGP
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

Similar presentations

Ads by Google