Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 4: Intermediate Protocols

Published byShavonne Conley Modified over 8 years ago

Similar presentations

Presentation on theme: "Chapter 4: Intermediate Protocols"— Presentation transcript:

1 Chapter 4: Intermediate Protocols
Dulal C. Kar

2 Timestamping Services
Tampering timestamps in a digital document is trivial We need a protocol for digital timestamping with the following desirable properties Data itself (not the medium) must be timestamped Must be impossible to change a single bit of the document without being caught Must be impossible to timestamp a document with a date and time from the present one (no back-dating possible)

3 Timestamping: Arbitrated Solution
Trent: a trusted timestamping service Protocol: Alice sends a copy of the document to Trent Trent records the date and time and retains a copy of the document Problems No privacy Database would have to a huge one Potential errors in transmission or storage

4 Timestamping: Improved Arbitrated Solution
Using one-way hash functions and digital signatures Protocol Alice produces a one-way hash of the document and transmits the hash to Trent Trent appends the date and time onto the hash and digitally signs the result Trent sends the signed hash with timestamp back to Alice Only problem Alice and Trent can still collude to produce any timestamp they want

5 Timestamping: Linking Protocol
To solve the problem Link Alice’s timestamp with timestamp previously generated by Trent A: Alice’s name, Hn: Alice’s hash value, Tn-1: Previous timestamp Protocol Alice sends Trent Hn and A Trent sends back to Alice: Tn = SK(n, A, Hn, tn, In-1, Hn-1, Tn-1, Ln) Where Ln consists of the following hashed linking information: Ln = H(In-1, Hn-1, Tn-1, Ln-1) SK: signed with Trent’s private key n: nth timestamp tn : time parameter After Trent stamps the next document, he sends Alice the identification of the originator of that document In+1

6 Timestamping: Distributed Protocol
It maybe impossible for Alice to get a copy of In-1’s timestamp Protocol (Without Trent) Using Hn as input, Alice generates a string of random values using a cryptographically secure pseudo-random-number generator: V1, V2, V3, Vk and interprets each number as the identification, I of another person She sends Hn to each of these people Each person attaches date and time to hash value, signs it and sends it back to Alice Alice collects and stores all signatures as timestamp To fake, Alice has to convince all k people to cooperate, which is difficult if k is large enough

7 Subliminal Channel A covert communications channel between two or more parties Gustavus Simmons invented the concept of a subliminal channel using digital signature algorithm Protocol Alice generates an innocuous message Using a secret key shared with Bob, Alice signs the message in such a way that she hides her subliminal message in the signature Alice sends this to Bob via Walter (an adversary) Walter reads the message, checks the signature, and finds nothing amiss; he passes the signed message to Bob Bob checks the signature on the signed message Bob ignores the message and, using the secret key, he extracts the subliminal message Application Spy network A company can sign and embed subliminal messages in documents for tracking purposes

8 Undeniable Digital Signatures
Normal digital signatures can be copied exactly and can be verified by anyone Undeniable signature (non-transferable signature) Unlike normal digital signatures, an undeniable signature cannot be verified without the signer’s consent Also, signer cannot falsely deny the signature Basic protocol Alice presents Bob with a signature Bob generates a random number and sends it to Alice Alice does a calculation using the random number and her private key and sends Bob the result. Alice could only do this calculation if the signature is valid. Bob confirms this Controlling who verifies her signature is a way for Alice to protect her personal privacy

9 Designated Confirmer Signatures
Designated confirmer signatures allows a signer to designate someone else to verify his signature Suppose Alice signs a document Bob knows, Alice’s signature is valid but cannot convince it to a third party Alice can designate Carol as the confirmer. How? Alice uses Carol’s public key Carol can be A copyright office A government agent

10 Proxy Signatures How to allow someone to sign messages on your behalf?
Properties Distinguishability Proxy signatures are distinguishable from normal signatures Unforgeability No one but original signer and designated proxy signer can create a valid proxy signature Proxy signer’s deviation A proxy signer cannot create a valid proxy signature not detected as a proxy signature Verifiability A verifier can be convinced of the original signer’s agreement from a proxy signature Identifiability Original signer can determine proxy signer’s identity from a proxy signature Undeniability Proxy signer cannot disavow an accepted proxy signature he created

11 Group Signatures Group signatures have the following properties
Only members of the group can sign messages Receiver can verify the group signature Receiver must not know the identity of the signer in the group In case of dispute, the signer’s identity can be revealed

12 Group Signatures with a Trusted Arbitrator
Trent generates a master list of public/private key pairs and gives each member a unique sub-list of private keys Trent publishes list of all public keys in random order To sign a document, a group member picks any key from his/her sub-list of private keys To verify, receiver picks corresponding public key from the master list In case of dispute, Trent knows which public key corresponds to which group member

13 Fail-Stop Digital Signatures
If Eve forges Alice’s signatures after brute-force attack, then Alice can prove they are forgeries. How? Basic idea For every possible public key, there are many possible private keys Each of these private keys yields many different possible signatures Signer has only one private key and does not know any of the other private keys

14 Computing with Encrypted Data
Alice wants Bob to compute f(x) for her but does not want to disclose x to Bob Called hiding information from an oracle Discussed in Section 23.6

15 Bit Commitment: Using Symmetric Cryptography
Bob sends Alice a random-bit string , R. Alice sends Bob: EK(R,b) where K: random key and b: bit or bits to commit Note that Bob cannot decrypt the message. When it comes time for Alice to reveal her bit, Alice sends Bob: K Bob decrypts the message to reveal the bit. Bob checks his random string to verify the bit’s validity

16 Bit Commitment: Using One-Way Functions
Alice sends Bob: H(R1, R2, b), R1 where R1, R2: random bit-strings, b: committed bit When it comes time for Alice to reveal her bit, Alice sends Bob original message: (R1,R2,b) Bob verifies with one-way function H It works since Alice cannot find another message (R1, R2’, b’) such that (R1, R2’, b’) = H(R1, R2, b)

17 Bit Commitment: Using Pseudo-Random-Sequence Generators
Bob sends Alice a random-bit string: RB Alice generates a random seed for a pseudo-random-bit generator. For every bit in Bob’s random-bit string, she sends Bob either: a) Output of the generator if Bob’s bit is 0, or b) XOR of output of the generator and her bit b, if Bob’s bit is 1. When it comes time to reveal her bit, Alice sends Bob her random seed Bob completes step 2 to confirm Note: Blobs Strings that Alice sends to Bob to commit to a bit

18 Fair Coin Flips We need to do it fairly over a communication channel
Need a protocol with properties Alice must flip the coin before Bob guesses Alice must not be able to re-flip the coin and change the result after hearing Bob’s guess Bob must not be able to know how the coin landed before making his guess

19 Coin Flipping Using One-Way Functions
Alice sends y = f(x), where x is a random number Bob guesses whether x is even or odd and sends his guess to Alice If Bob’s guess is correct, the result is head otherwise it is tail. Alice sends the result (tail or head) and x to Bob Bob confirms that y = f(x) Security depends on the one-way function f(x)

20 Coin Flipping Using Public-Key Cryptography
Assumption The algorithm commutes. DK1(EK2(EK1(M)))=EK2(M) Protocol Alice generates two messages M1=(RA, Head) and M2 = (RA, Tail) where RA: random number chosen by Alice Alice sends Bob: EA(M1) and EA(M2) where A: Alice’s public key Bob chooses EA(M1) or EA(M2) at random and sends Alice: EB(EA(M1)) or EB(EA(M2)) Alice decrypts it with her private key and sends it back to Bob: DA(EB(EA(M1))) = EB(M1) or EB(M2) Bob decrypts it to find M1 or M2 and send the result to Alice Alice reads the result and verifies RA is correct Both Alice and Bob reveal their key pairs so that both can verify that the other did not cheat

21 Anonymous Key Distribution
Problem Setup a Key Distribution Center (server) to generate and distribute keys in such a way that no one, including the server, can figure out who got which key Protocol Alice generates a public/private key pair and keeps both keys secret KDC generates a continuous stream of keys KDC encrypts the keys, one by one by its own public key KDC transmits the encrypted keys, one by one, onto the network Alice chooses a key at random Alice encrypts the chosen key with her public key Alice waits a while (long enough so that the server has no idea which key she has chosen) and sends the double-encrypted key back to KDC KDC decrypts the double-encrypted key with its private key, leaving a key encrypted with Alice’s public key Server sends the encrypted key back to Alice Alice decrypts the key with her private key

22 Key Escrow Micali’s Fair Cryptosystem
Break up the private key into n pieces and distribute each piece to different trusted authorities Each piece can be verified for correctness without reconstructing the private key If needed, court order can authorize law enforcement authorities to gather n pieces from trustees and construct the private key

23 Key Escrow Protocol Alice creates her private/public key pair. She splits the private key into several public pieces and private pieces Alice sends a public piece and corresponding private piece to each of the trustees. These messages must be encrypted. She also sends the public key to the KDC Each trustee, independently, performs a calculation on its public piece and its private piece for correctness. Each trustee stores the private piece somewhere secure and sends the public piece to the KDC KDC performs another calculation on the public pieces and the public key for correctness. It then signs the public key and either sends it back to Alice or posts it in a database somewhere.

Download ppt "Chapter 4: Intermediate Protocols"

Similar presentations

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.

1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Cryptography and Network Security

Cryptography and Network Security
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 29 Cryptography and Network.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 29 Cryptography and Network.
Security Chapters 14,15. The Security Environment Threats Security goals and threats.

Security Chapters 14,15. The Security Environment Threats Security goals and threats.
Quantum Cryptography Qingqing Yuan. Outline No-Cloning Theorem BB84 Cryptography Protocol Quantum Digital Signature.

Quantum Cryptography Qingqing Yuan. Outline No-Cloning Theorem BB84 Cryptography Protocol Quantum Digital Signature.
On The Cryptographic Applications of Random Functions Oded Goldreich Shafi Goldwasser Silvio Micali Advances in Cryptology-CRYPTO ‘ 84 報告人 : 陳昱升.

On The Cryptographic Applications of Random Functions Oded Goldreich Shafi Goldwasser Silvio Micali Advances in Cryptology-CRYPTO ‘ 84 報告人 : 陳昱升.
ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.

ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.
Protocol Building Blocks 1.Protocols are multi-agent algorithms 2.Agents know protocol 3.Protocol unambiguous, well-defined 4.Protocol complete, action.

Protocol Building Blocks 1.Protocols are multi-agent algorithms 2.Agents know protocol 3.Protocol unambiguous, well-defined 4.Protocol complete, action.
Chapter 9 Cryptographic Protocol Cryptography-Principles and Practice Harbin Institute of Technology School of Computer Science and Technology Zhijun Li.

Chapter 9 Cryptographic Protocol Cryptography-Principles and Practice Harbin Institute of Technology School of Computer Science and Technology Zhijun Li.
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 6 Epayment Security II.

ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 6 Epayment Security II.
Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.

Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.
Computer Science CSC 774Dr. Peng Ning1 CSC 774 Advanced Network Security Topic 2. Review of Cryptographic Techniques.

Computer Science CSC 774Dr. Peng Ning1 CSC 774 Advanced Network Security Topic 2. Review of Cryptographic Techniques.
CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.

CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.
E- Business Digital Signature Varna Free University Prof. Teodora Bakardjieva.

E- Business Digital Signature Varna Free University Prof. Teodora Bakardjieva.

Similar presentations

Ads by Google