Presentation is loading. Please wait.

Presentation is loading. Please wait.

Slide 1 Vitaly Shmatikov CS 378 Public-Key Authentication and Public-Key Infrastructure.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Slide 1 Vitaly Shmatikov CS 378 Public-Key Authentication and Public-Key Infrastructure."— Presentation transcript:

1 slide 1 Vitaly Shmatikov CS 378 Public-Key Authentication and Public-Key Infrastructure

2 slide 2 fresh random challenge C Authentication with Public Keys Alice Bob PRIVATE KEY PUBLIC KEY “I am Alice” sig Alice (C) Verify Alice’s signature on c 1.Only Alice can create a valid signature 2.Signature is on a fresh, unpredictable challenge Potential problem: Alice will sign anything

3 slide 3 Mafia-in-the-Middle Attack [from Anderson’s book] customer XXX Adult entertainment Over 21 only! Mafia porn site Picture 143! Bank Buy 10 gold coins Sign ‘X’ Prove your age by signing ‘X’ sig K (x) PRIVATE KEY K sig K (x)

4 slide 4 Early Version of SSL (Simplified) AliceBob encrypt PublicKey(Bob) (“Alice”, K AB ) encrypt K AB (“Alice”, sig Alice (N B )) fresh session key encrypt K AB (N B ) fresh random number uBob’s reasoning: I must be talking to Alice because… Whoever signed N B knows Alice’s private key… Only Alice knows her private key… Alice must have signed N B … N B is fresh and random and I sent it encrypted under K AB … Alice could have learned N B only if she knows K AB … She must be the person who sent me K AB in the first message...

5 slide 5 Breaking Early SSL Alice encrypt PK(Charlie) (“Alice”,K AC ) enc K AC (“Alice”, sig Alice (N B )) Charlie (with an evil side) Bob encrypt PK(Bob) (“Alice”,K CB ) encrypt K CB (N B ) encrypt K AC (N B ) encrypt K CB (“Alice”, sig Alice (N B )) This signature says that it was created by Alice, but not why or for whom uCharlie uses his legitimate conversation with Alice to impersonate Alice to Bob Information signed by Alice is not sufficiently explicit

6 slide 6 Authenticity of Public Keys ? Problem: How does Alice know that the public key she received is really Bob’s public key? private key Alice Bob public key Bob’s key

7 slide 7 Distribution of Public Keys uPublic announcement or public directory Risks: forgery and tampering uPublic-key certificate Signed statement specifying the key and identity –sig Alice (“Bob”, PK B ) uCommon approach: certificate authority (CA) Single agency responsible for certifying public keys After generating a private/public key pair, user proves his identity and obtains CA’s certificate (offline) Every computer is pre-configured with CA’s public key and can verify certificates signed by CA

8 slide 8 Using Public-Key Certificates Authenticity of public keys is reduced to authenticity of one key (CA’s public key)

9 slide 9 Hierarchical Approach uSingle CA certifying every public key is impractical uInstead, use a trusted root authority For example, Verisign Everybody must know the public key for verifying root authority’s signatures uRoot authority signs certificates for lower-level authorities, lower-level authorities sign certificates for individual networks, and so on Instead of a single certificate, use a certificate chain –sig Verisign (“UT Austin”, PK UT ), sig UT (“Vitaly S.”, PK V ) What happens if root authority is ever compromised?

10 slide 10 Alternative: “Web of Trust” uUsed in PGP (Pretty Good Privacy) uInstead of a single root certificate authority, each person has a set of keys they “trust” If public-key certificate is signed by one of the “trusted” keys, the public key contained in it will be deemed valid uTrust can be transitive Can use certified keys for further certification Alice Friend of Alice Friend of friend Bob sig Alice (“Friend”, Friend’s key) sig Friend (“FoaF”, FoaF’s key) I trust Alice

11 slide 11 X.509 Authentication Service uInternet standard (1988-2000) uSpecifies certificate format X.509 certificates are used in IPSec and SSL/TLS uSpecifies certificate directory service For retrieving other users’ CA-certified public keys uSpecifies a set of authentication protocols For proving identity using public-key signatures uDoes not specify crypto algorithms Can use it with any digital signature scheme and hash function, but hashing is required before signing

12 slide 12 X.509 Certificate Added in X.509 versions 2 and 3 to address usability and security problems (read Stallings 4.2)

13 slide 13 Certificate Revocation uRevocation is very important uMany valid reasons to revoke a certificate Private key corresponding to the certified public key has been compromised User stopped paying his certification fee to this CA and CA no longer wishes to certify him CA’s certificate has been compromised! uExpiration is a form of revocation, too Many deployed systems don’t bother with revocation Re-issuance of certificates is a big revenue source for certificate authorities

14 slide 14 Certificate Revocation Mechanisms uOnline revocation service When a certificate is presented, recipient goes to a special online service to verify whether it is still valid –Like a merchant dialing up the credit card processor uCertificate revocation list (CRL) CA periodically issues a signed list of revoked certificates –Credit card companies used to issue thick books of canceled credit card numbers Can issue a “delta CRL” containing only updates uQuestion: does revocation protect against forged certificates?

15 slide 15 X.509 Certificate Revocation List Because certificate serial numbers must be unique within each CA, this is enough to identify the certificate

16 slide 16 X.509 Version 1 AliceBob “Alice”, sig Alice (Time Alice, “Bob”, encrypt PublicKey(Bob) (message)) uEncrypt, then sign for authenticated encryption Goal: achieve both confidentiality and authentication E.g., encrypted, signed password for access control uDoes this work?

17 slide 17 Attack on X.509 Version 1 AliceBob “Alice”, sig Alice (Time Alice, “Bob”, encrypt PublicKey(Bob) (password)) uReceiving encrypted password under signature does not mean that the sender actually knows the password! uProper usage: sign, then encrypt Attacker extracts encrypted password and replays it under his own signature “Charlie”, sig Charlie (Time Charlie, “Bob”, encrypt PublicKey(Bob) (password))

18 slide 18 Denning-Sacco Protocol AliceBob “I’m Alice”, cert Alice, cert Bob, encrypt PublicKey(Bob) (sig Alice (Time Alice, K AB )) uGoal: establish a new shared key K AB with the help of a trusted certificate service Certificate server “Alice”, “Bob” cert Alice, cert Bob

19 slide 19 Attack on Denning-Sacco Alice Charlie (with an evil side) “I’m Alice”, cert Alice, cert Charlie, encrypt PublicKey(Charlie) (sig Alice (Time Alice, K AC )) uAlice’s signature is insufficiently explicit Does not say to whom and why it was sent uAlice’s signature can be used to impersonate her Nothing in this signature says that it was sent to Charlie! Bob “I’m Alice”, cert Alice, cert Bob, encrypt PublicKey(Bob) ( sig Alice (Time Alice, K AC ))

20 slide 20 Reading Assignment uStallings 3.6 and 4.2

Download ppt "Slide 1 Vitaly Shmatikov CS 378 Public-Key Authentication and Public-Key Infrastructure."

Similar presentations

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
Public Key Infrastructure (PKI)

Public Key Infrastructure (PKI)
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
1 ISA 562 Information Systems Theory and Practice 10. Digital Certificates.

1 ISA 562 Information Systems Theory and Practice 10. Digital Certificates.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Public Key Management and X.509 Certificates

Public Key Management and X.509 Certificates
More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.

More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.
Report on Attribute Certificates By Ganesh Godavari.

Report on Attribute Certificates By Ganesh Godavari.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.

Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.
Chapter 5 Network Security Protocols in Practice Part I

Chapter 5 Network Security Protocols in Practice Part I
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
Slide 1 Many slides from Vitaly Shmatikov, UT Austin Public-Key Infrastructure CNS F2006.

Slide 1 Many slides from Vitaly Shmatikov, UT Austin Public-Key Infrastructure CNS F2006.
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
1 Authentication Applications Digital Signatures Security Concerns X.509 Authentication Service Kerberos Based on slides by Dr. Lawrie Brown of the Australian.

1 Authentication Applications Digital Signatures Security Concerns X.509 Authentication Service Kerberos Based on slides by Dr. Lawrie Brown of the Australian.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Similar presentations

Ads by Google