Presentation is loading. Please wait.

Presentation is loading. Please wait.

Advanced Security Constructions and Key Management Class 16.

Published byMarcos Fessenden Modified over 9 years ago

Similar presentations

Presentation on theme: "Advanced Security Constructions and Key Management Class 16."— Presentation transcript:

1 Advanced Security Constructions and Key Management Class 16

2 Outline  One-Time Signatures Lamport’s signature Improved signature constructions Merkle-Winternitz Signature  Efficient Authenticators (amortize signature) One-way chains (self-authenticating values) Chained hashes Merkle Hash Trees  Applications Efficient short-lived certificates, S/Key Untrusted external storage Stream signatures (Gennaro, Rohatgi)  Zhou & Haas’s key distribution

3 One-Time Signatures  Challenge: digital signatures expensive for generation and verification  Goal: amortize digital signature

4 One-Time Signatures  Use one-way functions without trapdoor  Efficient for signature generation and verification  Caveat: can only use one time  Example: 1-bit one-time signature P0, P1 are public values (public key) S0, S1 are private values (private key) S1P1 S0P0 S1 S0 P S0’ S1’

5 Lamport’s One-Time Signature  Uses 1-bit signature construction to sign multiple bits S1 P1 S0 P0 Bit 0Bit 1Bit 2Bit n S1’ P1’ S0’ P0’ S1’’ P1’’ S0’’ P0’’ S1* P1* S0* P0* Private values Public values … Sign 0 Sign 1

6 Improved Construction I  Uses 1-bit signature construction to sign multiple bits S0 P0 Bit 0Bit 1Bit 2Bit n S0’ P0’ S0’’ P0’’ S0* P0* … c0 p0 c0’ p0’ c0* p0* … Bit 0Bit 1Bit log(n) Sign messageChecksum bits: encode # of signature bits = 0

7 Improved Construction II  Lamport signature has high overhead  Goal: reduce size of public and private key  Approach: use one-way hash chains  S1 = F( S0 ) S2PS3S0S1 Signature chain C1C0C3C2 Checksum chain P = F( S3 || C0 ) Sig(0)Sig(1)Sig(2)Sig(3)

8 Merkle-Winternitz Construction  Intuition: encode sum of checksum chain S2’’PS3’’S0’’S1’’ C1C0C3C2 S2’S3’S0’S1’ S2S3S0S1 C1’C0’C3’C2’ Signature Bits 0,1 Checksum Bits 0,1 Checksum Bits 2,3 Signature Bits 2,3 Signature Bits 4,5

9 Efficient Authenticators  One-way chains  Chained hashes  Merkle hash trees

10 Recall One-Way Hash Chains?  Versatile cryptographic primitive  Construction Pick random r N and public one-way function F r i = F(r i+1 ) Secret value: r N, public value r 0  Properties Use in reverse order of construction: r 1, r 2 … r N Infeasible to derive r i from r j (j<i) Efficiently authenticate r i knowing r j (j<i): verify r j = F i-j (r i ) Robust to missing values r6r6 r7r7 r4r4 r3r3 FFF r5r5 F

11 One-Way Chain Application  S/Key one-time password system  Goal Use a different password at every login Server cannot derive password for next login  Solution: one-way chain Pick random password P L Prepare sequence of passwords P i = F(P i+1 ) Use passwords P 0, P 1, …, P L-1, P L Server can easily authenticate user p6p6 p7p7 p4p4 p3p3 FFF p5p5 F

12 Chained Hashes  More general construction than one-way hash chains  Useful for authenticating a sequence of data values D 0, D 1, …, D N  H * authenticates entire chain DNDN D N-1 H N-1 H(D N ) D N-2 H N-2 H( D N-1 || H N-1 ) D0D0 H0H0 … H*H*

13 Merkle Hash Trees  Authenticate a sequence of data values D 0, D 1, …, D N  Construct binary tree over data values T0T0 D0D0 D2D2 D3D3 D1D1 D4D4 D6D6 D7D7 D5D5 T1T1 T2T2 T3T3 T4T4 T5T5 T6T6

14 Merkle Hash Trees II  Verifier knows T 0  How can verifier authenticate leaf D i ?  Solution: recompute T 0 using D i  Example authenticate D 2, send D 3 T 3 T 2  Verify T 0 = H( H( T 3 || H( D 2 || D 3 )) || T 2 ) T0T0 D0D0 D2D2 D3D3 D1D1 D4D4 D6D6 D7D7 D5D5 T1T1 T2T2 T3T3 T4T4 T5T5 T6T6

15 Untrusted External Storage  Problem: how can we store memory of a secure coprocessor in untrusted storage?  Solution: construct Merkle hash tree over all memory pages Secure Coprocessor Small persistent storage Mallory’s Storage

16 Stream Signatures  Gennaro & Rohatgi, Crypto ‘97  Problem Sender sends a sequence of packets to receiver Receiver wants to immediately authenticate each packet Efficient authentication of packets On-line case (real-time data), off-line case (stored data)

17 Off-line Case  Sender know entire stream before sending  Use chained hashes, precompute H i  Digitally sign the first packet  (H * )  Each packet authenticates the next packet PNPN P N-1 H N-1 P N-2 H N-2 P0P0 H0H0 … H*H*

18 On-line Case  Use a one-time signature to authenticate packets Sender has regular signature (SK,PK) Sender signs public key of one-time signature  SK (pk0) Sign packet P i and one-time public key pk i with pk i-1 P0P0 pk 1  sk 0 (P 0 || pk 1 ) P1P1 pk 2  sk 1 (P 1 || pk 2 )

19 Stream Signature Discussion  Computation and communication cost  Robustness to DoS attack (packet injection)  Robustness to packet loss Loss of a single packet prevents authentication of subsequent packets How could we improve the loss robustness?

20 Alternative Stream Signature Packet 1Packet 2 Hash(P1) Packet 3 Hash(P2) Hash(P3) Signature Signature Packet  Add hashes to later packets  Periodically send a signature packet

21 Improving Robustness Packet 1Packet 2 Hash(P1) Packet 3 Hash(P2) Hash(P3) Signature Signature Packet Hash(P1) Hash(P2)

22 Securing Ad Hoc Networks  Zhou & Haas, IEEE Network Magazine ’99  Security goals Availability Confidentiality Integrity Authentication  Secure Routing  Key management

23 Attacker Assumptions  Attacker can physically compromise nodes  “Mobile Adversary” Adversary can compromise any node Temporarily compromises node, then moves on to next node Every node may be compromised at one time  Attacker compromises at most t nodes at any one moment

24 Secure Routing  Authenticate all routing messages, to prevent external attackers  Proposes to use multiple paths to tolerate internal attackers Drawback: internal attackers could easily fake multiple paths

25 Key Management Service  Consider public-key infrastructure (PKI) Everybody trusts certification authority (CA) CA authenticates and signs public keys of other nodes  PKI drawbacks Revocation requires on-line PKI Single point of failure, CA replication increases vulnerability to node compromise  Solution: distributed CA

26 Distributed CA Model  Private CA key is shared among set of nodes Signing needs coalition of t+1 correct nodes Secret sharing prevents t malicious nodes from reconstructing CA private key  Requirements for key management service Robustness: service available to answer requests correctly Confidentiality: adversary never learns CA private key

27 Threshold Cryptography  Share secret S among n nodes, require t+1 nodes for reconstruction (n, t+1) secret sharing scheme  Share private key K among n nodes, require t+1 nodes for signing (n, t+1) threshold signature scheme Node i gets share k i For signing, nodes send partial signature to combiner Combiner collects 2t+1 partial signatures

28 Proactive Security  Use share refreshing against mobile adversaries  If (s 1, s 2, …, s n ) is a sharing of k, and (s’ 1, s’ 2, …, s’ n ) is a sharing of k’, then (s 1 + s’ 1, s 2 + s’ 2, …, s n + s’ n ) is a correct sharing of k + k’  Trick, set k’ = 0, so new sharing also represents k

29 Share Refreshing s1s1 s2s2 s3s3 snsn s 1,1 s 1,2 s 1,n s 2,1 s 2,2 s 2,n s 3,1 s 3,2 s 3,n s n,1 s n,2 s n,n s’ 1 + s’ 2 + s’ n + Shares of 0

30 Discussion  How can share refreshing tolerate faulty nodes?  How can we tolerate compromised combiner? Who decides to be a combiner?  How can we bootstrap this system? How can we introduce a new node?  Why should node sign a message? How does node authenticate message?  Is signature combination expensive if we have t faulty nodes?

Download ppt "Advanced Security Constructions and Key Management Class 16."

Similar presentations

Giuseppe Bianchi Lecture 6.1: Extras: Merkle Trees.

Giuseppe Bianchi Lecture 6.1: Extras: Merkle Trees.
MAC Raushan. DES simple fiestel network 3131 PlainText Blocks 2*4=8bits 31 f f =0011 xor 0011=0000 = 0 f(r,k)=(2*r+k^2)%8 f(1,5)=(2*1+5^2)%8=3 xor 3 3.

MAC Raushan. DES simple fiestel network 3131 PlainText Blocks 2*4=8bits 31 f f =0011 xor 0011=0000 = 0 f(r,k)=(2*r+k^2)%8 f(1,5)=(2*1+5^2)%8=3 xor 3 3.
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
CSC 774 Advanced Network Security

CSC 774 Advanced Network Security
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Csci5233 Computer Security1 Bishop: Chapter 10 (Cont.) Key Management: Certificates.

Csci5233 Computer Security1 Bishop: Chapter 10 (Cont.) Key Management: Certificates.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.

Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.
The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Hash-based Primitives Credits: Dr. Peng Ning and Dr. Adrian Perrig.

The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Hash-based Primitives Credits: Dr. Peng Ning and Dr. Adrian Perrig.
1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.

1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.
Spring 2002CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2002CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
On-The-Fly Verification of Rateless Erasure Codes Max Krohn (MIT CSAIL) Michael Freedman and David Mazières (NYU)

On-The-Fly Verification of Rateless Erasure Codes Max Krohn (MIT CSAIL) Michael Freedman and David Mazières (NYU)
KIANOOSH MOKHTARIAN SCHOOL OF COMPUTING SCIENCE SIMON FRASER UNIVERSITY 3/24/2008 Secure Multimedia Streaming.

KIANOOSH MOKHTARIAN SCHOOL OF COMPUTING SCIENCE SIMON FRASER UNIVERSITY 3/24/2008 Secure Multimedia Streaming.
Authenticating streamed data in the presence of random packet loss March 17th, 2000. Philippe Golle, Stanford University.

Authenticating streamed data in the presence of random packet loss March 17th, Philippe Golle, Stanford University.
Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
SPINS: Security Protocols for Sensor Networks Adrian Perrig Robert Szewczyk Victor Wen David Culler Doug TygarUC Berkeley.

SPINS: Security Protocols for Sensor Networks Adrian Perrig Robert Szewczyk Victor Wen David Culler Doug TygarUC Berkeley.

Similar presentations

Ads by Google