Presentation is loading. Please wait.

Presentation is loading. Please wait.

EE515/IS523 Think Like an Adversary Lecture 4 Crypto in a Nutshell Yongdae Kim.

Published byJeremy Hawkins Modified over 8 years ago

Similar presentations

Presentation on theme: "EE515/IS523 Think Like an Adversary Lecture 4 Crypto in a Nutshell Yongdae Kim."— Presentation transcript:

1 EE515/IS523 Think Like an Adversary Lecture 4 Crypto in a Nutshell Yongdae Kim

2 Recap ^ http://security101.kr http://security101.kr ^ E-mail policy  Include [ee515] or [is523] in the subject of your e-mail ^ Student Survey  http://bit.ly/SiK9M3 http://bit.ly/SiK9M3 ^ paper presentation survey  http://bit.ly/18HDzCg http://bit.ly/18HDzCg

3 Basic Cryptography Yongdae Kim

4 SKE with Secure channel Plaintext source Encryption E e (m) = c destination Decryption D d (c) = m c Insecure channel AliceBob Adversary Key source e mm d Secure channel

5 PKE with insecure channel Plaintext source Encryption E e (m) = c destination Decryption D d (c) = m c Insecure channel AliceBob Passive Adversary Key source d mm e Insecure channel

6 Public key should be authentic! e e E e (m) e’e’e’e’ E e’ (m) E e (m) ^ Need to authenticate public keys

7 Digital Signatures ^ Primitive in authentication and non- repudiation ^ Signature  Process of transforming the message and some secret information into a tag ^ Nomenclature  M is set of messages  S is set of signatures  S A : M ! S for A, kept private  V A is verification transformation from M to S for A, publicly known

8 Key Establishment, Management ^ Key establishment  Process to whereby a shared secret key becomes available to two or more parties  Subdivided into key agreement and key transport. ^ Key management  The set of processes and mechanisms which support key establishment  The maintenance of ongoing keying relationships between parties

9 Symmetric vs. Public key ProsCons SKE ^ High data throughput ^ Relatively short key size ^The key must remain secret at both ends ^O(n 2 ) keys to be managed ^Relatively short lifetime of the key PKE ^O(n) keys ^Only the private key must be kept secret ^longer key life time ^digital signature ^Low data throughput ^Much larger key sizes

10 Symmetric key Encryption ^ Symmetric key encryption  if for each (e,d) it is easy computationally easy to compute e knowing d and d knowing e  Usually e = d ^ Block cipher  breaks up the plaintext messages to be transmitted into blocks of a fixed length, and encrypts one block at a time ^ Stream cipher  encrypt individual characters of plaintext message one at a time, using encryption transformation which varies with time

11 Hash function and MAC ^ A hash function is a function h  compression  ease of computation  Properties  one-way: for a given y, find x’ such that h(x’) = y  collision resistance: find x and x’ such that h(x) = h(x’)  Examples: SHA-1, MD-5 ^ MAC (message authentication codes)  both authentication and integrity  MAC is a family of functions h k  ease of computation (if k is known !!)  compression, x is of arbitrary length, h k (x) has fixed length  computation resistance  Example: HMAC

12 How Random is the Hash function?

13 Applications of Hash Function ^ File integrity ^ Digital signature Sign = S SK (h(m)) ^ Password verification stored hash = h(password) ^ File identifier ^ Hash table ^ Generating random numbers

14 Hash function and MAC ^ A hash function is a function h  compression  ease of computation  Properties  one-way: for a given y, find x’ such that h(x’) = y  collision resistance: find x and x’ such that h(x) = h(x’)  Examples: SHA-1, MD-5 ^ MAC (message authentication codes)  both authentication and integrity  MAC is a family of functions h k  ease of computation (if k is known !!)  compression, x is of arbitrary length, h k (x) has fixed length  computation resistance  Example: HMAC

15 MAC construction from Hash ^ Prefix  M=h(k||x)  appending y and deducing h(k||x||y) form h(k||x) without knowing k ^ Suffix  M=h(x||k)  possible a birthday attack, an adversary that can choose x can construct x’ for which h(x)=h(x’) in O(2 n/2 ) ^ STATE OF THE ART: HMAC (RFC 2104)  HMAC(x)=h(k||p 1 ||h(k|| p 2 ||x)), p1 and p2 are padding  The outer hash operates on an input of two blocks  Provably secure

16 How to use MAC? ^ A & B share a secret key k ^ A sends the message x and the MAC M ← H k (x) ^ B receives x and M from A ^ B computes H k (x) with received M ^ B checks if M=H k (x)

17 PKE with insecure channel Plaintext source Encryption E e (m) = c destination Decryption D d (c) = m c Insecure channel AliceBob Passive Adversary Key source d mm e Insecure channel

18 Digital Signature ^ Integrity ^ Authentication ^ Non-repudiation I did not have intimate relations with that woman,…, Ms. Lewinsky

19 Digital Signature with Appendix ^ Schemes with appendix  Requires the message as input to verification algorithm  Rely on cryptographic hash functions rather than customized redundancy functions  DSA, ElGamal, Schnorr etc.

20 Digital Signature with Appendix M m mhmh MhMh h s* S S A,k M h x S u 2{True, False} VAVA s* = S A,k (m h ) u = V A (m h, s*)

21 Authentication ^ How to prove your identity?  Prove that you know a secret information ^ When key K is shared between A and Server  A  S: HMAC K (M) where M can provide freshness  Why freshness? ^ Digital signature?  A  S: Sig SK (M) where M can provide freshness ^ Comparison?

22 Encryption and Authentication ^ E K (M) ^ Redundancy-then-Encrypt: E K (M, R(M)) ^ Hash-then-Encrypt: E K (M, h(M)) ^ Hash and Encrypt: E K (M), h(M) ^ MAC and Encrypt: E h1(K) (M), HMAC h2(K) (M) ^ MAC-then-Encrypt: E h1(K) (M, HMAC h2(K) (M))

23 Challenge-response authentication ^ Alice is identified by a secret she possesses  Bob needs to know that Alice does indeed possess this secret  Alice provides response to a time-variant challenge  Response depends on both secret and challenge ^ Using  Symmetric encryption  One way functions

24 Challenge Response using SKE ^ Alice and Bob share a key K ^ Taxonomy  Unidirectional authentication using timestamps  Unidirectional authentication using random numbers  Mutual authentication using random numbers ^ Unilateral authentication using timestamps  Alice  Bob: E K (t A, B)  Bob decrypts and verified that timestamp is OK  Parameter B prevents replay of same message in B  A direction

25 Challenge Response using SKE ^ Unilateral authentication using random numbers  Bob  Alice: r b  Alice  Bob: E K (r b, B)  Bob checks to see if r b is the one it sent out  Also checks “B” - prevents reflection attack  r b must be non-repeating ^ Mutual authentication using random numbers  Bob  Alice: r b  Alice  Bob: E K (r a, r b, B)  Bob  Alice: E K (r a, r b )  Alice checks that r a, r b are the ones used earlier

26 Challenge-response using OWF ^ Instead of encryption, used keyed MAC h K ^ Check: compute MAC from known quantities, and check with message ^ SKID3  Bob  Alice: r b  Alice  Bob: r a, h K (r a, r b, B)  Bob  Alice: h K (r a, r b, A)

27 Key Establishment, Management ^ Key establishment  Process to whereby a shared secret key becomes available to two or more parties  Subdivided into key agreement and key transport. ^ Key management  The set of processes and mechanisms which support key establishment  The maintenance of ongoing keying relationships between parties

Download ppt "EE515/IS523 Think Like an Adversary Lecture 4 Crypto in a Nutshell Yongdae Kim."

Similar presentations

Lecture 5: Cryptographic Hashes

Lecture 5: Cryptographic Hashes
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Computer Science CSC 474By Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.1 Introduction to Cryptography.

Computer Science CSC 474By Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.1 Introduction to Cryptography.
CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.

CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Lesson Title: Introduction to Cryptography Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas

Lesson Title: Introduction to Cryptography Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.

Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
CS470, A.SelcukHash Functions1 Cryptographic Hash Functions CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukHash Functions1 Cryptographic Hash Functions CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Hash Functions Nathanael Paul Oct. 9, 2002. Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)

Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
CS526Topic 5: Hash Functions and Message Authentication 1 Computer Security CS 526 Topic 5 Cryptography: Cryptographic Hash Functions And Message Authentication.

CS526Topic 5: Hash Functions and Message Authentication 1 Computer Security CS 526 Topic 5 Cryptography: Cryptographic Hash Functions And Message Authentication.
Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.

Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.
Computer Science CSC 774Dr. Peng Ning1 CSC 774 Advanced Network Security Topic 2. Review of Cryptographic Techniques.

Computer Science CSC 774Dr. Peng Ning1 CSC 774 Advanced Network Security Topic 2. Review of Cryptographic Techniques.
CRYPTOGRAPHIC DATA INTEGRITY ALGORITHMS

CRYPTOGRAPHIC DATA INTEGRITY ALGORITHMS
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

Similar presentations

Ads by Google