Rennes, 23/10/2014 Cristina Onete Commitment Schemes and Identification/Authentication.

Slides:



Advertisements
Similar presentations
Rennes, 23/10/2014 Cristina Onete Commitment Schemes and Identification/Authentication.
Advertisements

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
David Evans CS588: Cryptography University of Virginia Computer Science Lecture 17: Public-Key Protocols.
CSE331: Introduction to Networks and Security Lecture 22 Fall 2002.
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.
Rennes, 23/10/2014 Cristina Onete Key-Exchange Protocols. Diffie-Hellman, Active Attacks, and TLS/SSL.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Rennes, 27/11/2014 Cristina Onete Subject Review, Questions, and Exam Practice.
Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.
Class on Security Raghu. Current state of Security Cracks appear all the time Band Aid solutions Applications are not designed properly OS designs are.
Quantum Cryptography Qingqing Yuan. Outline No-Cloning Theorem BB84 Cryptography Protocol Quantum Digital Signature.
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.
More on AuthenticationCS-4513 D-term More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.
CMSC 414 Computer and Network Security Lecture 18 Jonathan Katz.
Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
Introduction to Modern Cryptography, Lecture 9 More about Digital Signatures and Identification.
Chapter 9 Cryptographic Protocol Cryptography-Principles and Practice Harbin Institute of Technology School of Computer Science and Technology Zhijun Li.
Key Distribution CS 470 Introduction to Applied Cryptography
1. Outline 1. Background 1. Attacks on distance-bounding 2. Symmetric vs asymmetric protocol 3. Motivation: DBPK-Log 2. VSSDB 1. Building blocks 2. Protocol.
Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.
Network Security – Part 2 V.T. Raja, Ph.D., Oregon State University.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Lecture 12 Commitment Schemes and Zero-Knowledge Protocols Stefan Dziembowski University of Rome La Sapienza critto09.googlepages.com.
Strong Password Protocols
Adaptively Secure Broadcast, Revisited
Csci5233 Computer Security1 Bishop: Chapter 10 Key Management: Digital Signature.
Page 1 Secure Communication Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.
Rennes, 15/10/2014 Cristina Onete Message authenticity: Digital Signatures.
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
(Multimedia University) Ji-Jian Chin Swee-Huay Heng Bok-Min Goi
Oblivious Signature-Based Envelope Ninghui Li, Stanford University Wenliang (Kevin) Du, Syracuse University Dan Boneh, Stanford University.
SAR-SSI, 16/05/2014Cristina Onete CIDRE Keep your friends close with distance-bounding protocols.
8-1Network Security Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity, authentication.
Chapter 4: Intermediate Protocols
Authentication and Authorization Authentication is the process of verifying a principal’s identity (but how to define “identity”?) –Who the person is –Or,
Lecture 11: Strong Passwords
Wonders of the Digital Envelope Avi Wigderson Institute for Advanced Study.
1 SC700 A2 Internet Information Protocols 3/20/2001 Paper Presentation by J. Chu How to Explain Zero-Knowledge Protocols to Your Children.
Rennes, 23/10/2014 Cristina Onete Graded Exercises & Authentication.
Lecture 14 ISAKMP / IKE Internet Security Association and Key Management Protocol / Internet Key Exchange CIS CIS 5357 Network Security.
Fall 2004/Lecture 201 Cryptography CS 555 Lecture 20-b Zero-Knowledge Proof.
EE515/IS523 Think Like an Adversary Lecture 4 Crypto in a Nutshell Yongdae Kim.
Basic Cryptography 1. What is cryptography? Cryptography is a mathematical method of protecting information –Cryptography is part of, but not equal to,
1 Cryptography NOTES. 2 Secret Key Cryptography Single key used to encrypt and decrypt. Key must be known by both parties. Assuming we live in a hostile.
Presented by: Suparita Parakarn Kinzang Wangdi Research Report Presentation Computer Network Security.
1 Lect. 20. Identification. 2  Entity Authentication (Identification) Over the communication network, one party, Alice, shows to another party, Bob,
1 Lecture 9: Cryptographic Authentication objectives and classification one-way –secret key –public key mutual –secret key –public key establishing session.
Upper OSI Layers Natawut Nupairoj, Ph.D. Department of Computer Engineering Chulalongkorn University.
Digital Signatures, Message Digest and Authentication Week-9.
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
Protocols Chapter 2 Protocol: A series of steps, involving two or more parties, designed to accomplish a task. All parties involved must know the protocol.
Cryptography 1 Crypto Cryptography 2 Crypto  Cryptology  The art and science of making and breaking “secret codes”  Cryptography  making “secret.
Authentication Issues and Solutions CSCI 5857: Encoding and Encryption.
Secure Communication between Set-top Box and Smart Card in DTV Broadcasting Authors: T. Jiang, Y. Hou and S. Zheng Source: IEEE Transactions on Consumer.
A A E E D D C C B B # Symmetric Keys = n*(n-1)/2 F F
Lecture 5.1: Message Authentication Codes, and Key Distribution
Software Security Seminar - 1 Chapter 4. Intermediate Protocols 발표자 : 이장원 Applied Cryptography.
Identify Friend or Foe (IFF) Chapter 9 Simple Authentication protocols Namibia Angola 1. N 2. E(N,K) SAAF Impala Russian MIG 1 Military needs many specialized.
Homework #2 J. H. Wang Oct. 31, 2012.
INCS 741: Cryptography Overview and Basic Concepts.
Bit Commitment, Fair Coin Flips, and One-Way Accumulators Matt Ashoff 11/9/2004 Cryptographic Protocols.
Zero Knowledge r Two parties:  All powerful prover P  Polynomially bounded verifier V r P wants to prove a statement to V with the following properties:
Topic 36: Zero-Knowledge Proofs
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
Presentation transcript:

Rennes, 23/10/2014 Cristina Onete Commitment Schemes and Identification/Authentication

 Commitment Schemes AliceBob  Example : Alice and Bob must agree who will clean tonight They are at their offices. Each tosses a coin & they call:  If tosses are the same, then Alice cleans  If tosses are different, then Bob cleans Who talks first? Bob Alice Cristina Onete || 24/10/2014 || 2

 Commitment Schemes Alice Bob  Alice and Bob toss Alice talks first Bob talks first Bob Alice  How can we avoid this? Bob says he tossed the same value Alice says she tossed the opposite value Cristina Onete || 24/10/2014 || 3

 Commitment Schemes AliceBob  Commitment: an envelope with a strange seal Alice talks first Commit phase: she hides toss in envelope, gives it to Bob Reveal phase: Alice tells Bob how to unseal envelope Bob reveals toss Bob cleans Cristina Onete || 24/10/2014 || 4

 Commitment Schemes AliceBob  Properties: Hiding: The content of the envelope is not visible Bob doesn’t know anything about Alice’s toss Binding: Alice can’t change the content in the envelope Alice can’t cheat after getting Bob’s toss Cristina Onete || 24/10/2014 || 5

 Commitment Schemes Alice Bob  Formally:  Commitment hiding: ……………………  Commitment binding: Cristina Onete || 24/10/2014 || 6

 Pedersen Commitments AliceBob …………………… Impossible Cristina Onete || 24/10/2014 || 7

 Pedersen Commitments AliceBob ……………………  Hiding: Cristina Onete || 24/10/2014 || 8

 DLog-based Commitments AliceBob ……………………  Computationally hiding: DLog  Perfectly binding by construction Cristina Onete || 24/10/2014 || 9

 Cristina Onete || 25/09/2014 || 10 Exercise 1  Consider a hash function H  Use the commitment scheme  Is this commitment binding if H is one-way?  If H is one-way, is this commitment hiding?

 Cristina Onete || 25/09/2014 || 11 Exercise 2  Use the commitment scheme  Is this commitment binding?  Is this commitment hiding?  What happens if the value s is known?

 Cristina Onete || 25/09/2014 || 12 Exercise 3  Use the commitment scheme  Is this commitment hiding?  Is this commitment binding?

 Cristina Onete || 25/09/2014 || 13 Identification & Authentication ProverVerifier  Goal (identification) : The prover wants to convince the verifier she is who she pre- tends to be Example: interview/application/exam  Goal (authentication) : Prover wants to prove she’s legitimate Example: owner of a house, student at University, etc ID

 Cristina Onete || 25/09/2014 || 14 Challenge-Response  Two-move protocol Verifier starts, sending a challenge Prover sends a response Based on the challenge-response, the verifier must make his decision ProverVerifier challenge response

 Cristina Onete || 25/09/2014 || 15 Challenge-Response Prover Verifier challenge response  Symmetric authentication: Verifier stores a keyring of many keys (each corresponding to one prover) Goal of challenge-response: verifier can decide whether the prover is legitimate or not Shared Property 1: a legitimate prover can always authenticate Property 2: an illegitimate prover can never authenticate

 Cristina Onete || 25/09/2014 || 16 Challenge-Response Prover Verifier challenge response Shared  Exercise 4: Can the set of possible challenges be small?

 Cristina Onete || 25/09/2014 || 17 Challenge-Response Prover Verifier challenge response  Exercise 5: Design a challenge-response protocol using a symmetric encryption function Now use a PK encryption scheme Use a pseudo-random hash function Now use a signature scheme Use a commitment scheme and a 1-way hash function

 Cristina Onete || 25/09/2014 || 18 Exercises  Exercise 6: Prover Verifier Use the protocol above, assuming the hash function produ- ces pseudo-random outputs What is a simple denial-of-service attack that an attacker can run against a verifier who stores very many keys?

 Cristina Onete || 25/09/2014 || 19 Exercises Prover Verifier  Exercise 7: A mutual authentication protocol is one in which both parties can verify the legitimacy of their partner Start from a basic 2-move challenge-response protocol. Can you think of a 3-move protocol that ensures MUTUAL authentication? Design a mutual authentication protocol using only a (keyed) hash function. What are the required properties?

CIDRE Thanks!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.