ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.

Slides:



Advertisements
Similar presentations
1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.
Advertisements

Chapter 10 Real world security protocols
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Rennes, 23/10/2014 Cristina Onete Commitment Schemes and Identification/Authentication.
Off-the-Record Communication, or, Why Not To Use PGP
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
Mental Poker The SRA Protocol. What is Mental Poker? Playing poker without cards (ie over telephone or internet). No Trusted Third Party or source of.
ITIS 6200/ Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Digital Signatures and Hash Functions. Digital Signatures.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
Attacks on Digital Signature Algorithm: RSA
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Chap 3: Key exchange protocols In most systems, we distinguish the short term keys from the long term ones: –A short term key (session key) is used to.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
More on AuthenticationCS-4513 D-term More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.
EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.
Freenet A Distributed Anonymous Information Storage and Retrieval System I Clarke O Sandberg I Clarke O Sandberg B WileyT W Hong.
1 Chap 1: Introduction Some background –The message is usually represented as M or P (plaintext), the encryption result is usually represented as C (ciphertext).
ITIS 6010/8010: Wireless Network Security Weichao Wang.
Computer Science CSC 774Dr. Peng Ning1 CSC 774 Advanced Network Security Topic 2. Review of Cryptographic Techniques.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
1 Lecture 18: Security issues specific to security key management services –privacy –integrity/authentication –nonrepudiation/plausible deniability.
Practical Techniques for Searches on Encrypted Data Yongdae Kim Written by Song, Wagner, Perrig.
Chapter 31 Network Security
Csci5233 Computer Security1 Bishop: Chapter 10 Key Management: Digital Signature.
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
The RSA Algorithm Rocky K. C. Chang, March
Cryptology Digital Signatures and Digital Certificates Prof. David Singer Dept. of Mathematics Case Western Reserve University.
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
Part Two Network Security Applications Chapter 4 Key Distribution and User Authentication.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Protocols to do seemingly impossible 1 CHAPTER 11: Protocols to do seemingly impossible A protocol is an algorithm two (or more) parties have to follow.
Chapter 4: Intermediate Protocols
Authentication and Authorization Authentication is the process of verifying a principal’s identity (but how to define “identity”?) –Who the person is –Or,
Public Key Encryption and the RSA Public Key Algorithm CSCI 5857: Encoding and Encryption.
Freenet: A Distributed Anonymous Information Storage and Retrieval System Presenter: Chris Grier ECE 598nb Spring 2006.
Lecture 11: Strong Passwords
CSCD 218 : DATA COMMUNICATIONS AND NETWORKING 1
6. Esoteric Protocols secure elections and multi-party computation Kim Hyoung-Shick.
Chapter 3: Basic Protocols Dulal C. Kar. Key Exchange with Symmetric Cryptography Session key –A separate key for one particular communication session.
Based on Schneier Chapter 5: Advanced Protocols Dulal C. Kar.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 50 Cryptography, Privacy, and Digital Certificates.
Using Cryptography for Network Security Common problems: –Authentication - A and B want to prove their identities to one another –Key-distribution - A.
Software Security Seminar - 1 Chapter 5. Advanced Protocols 조미성 Applied Cryptography.
Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.
Based on Bruce Schneier Chapter 8: Key Management Dulal C Kar.
Privacy versus Authentication Confidentiality (Privacy) –Interceptors cannot read messages Authentication: proving the sender’s identity –The Problem of.
Digital Signatures, Message Digest and Authentication Week-9.
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
Authentication Issues and Solutions CSCI 5857: Encoding and Encryption.
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
1 Network Security Lecture 7 Overview of Authentication Systems Waleed Ejaz
A A E E D D C C B B # Symmetric Keys = n*(n-1)/2 F F
Network Security Continued. Digital Signature You want to sign a document. Three conditions. – 1. The receiver can verify the identity of the sender.
Software Security Seminar - 1 Chapter 4. Intermediate Protocols 발표자 : 이장원 Applied Cryptography.
1 The RSA Algorithm Rocky K. C. Chang February 23, 2007.
Bit Commitment, Fair Coin Flips, and One-Way Accumulators Matt Ashoff 11/9/2004 Cryptographic Protocols.
Key Wrap Algorithm.
Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.
Computer Communication & Networks
Information Security message M one-way hash fingerprint f = H(M)
Information Security message M one-way hash fingerprint f = H(M)
Information Security message M one-way hash fingerprint f = H(M)
ITIS 6200/8200 Chap 5 Dr. Weichao Wang.
Presentation transcript:

ITIS 6200/8200

time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping –Data, instead of the storage medium, should be stamped –Minor change in source file leads to major changes in stamp –Low probability of conflict

Time-stamping using TTP –Alice sends a file to T –T keeps the file, date, and time in the record –When it is needed, T can provide the evidence –Problems: Need a TTP What about data error during transmission? Need huge storage space Why should Alice tell the secret to T? Collusion between Alice and T

Time-stamping using TTP –Using hash result and digital signature we can fix most of the problems –Alice asks T to sign the hash result of the file –T sends the digital signature back to Alice, T does not need to record the file –Alice verifies the signature and make sure that no error happens during transmission

How to defend against collusion –Linking protocol: every signature is restricted by the previous one and the following one –T will sign: –Alice will also receive the owner of the next hash result I n+1

How does the linking protocol mitigate the collusion between T and Alice –The timestamp is restricted by the previous one and the next one –T cannot predict the order of the requesters –Possible way to compromise this method: T generates fake event sequences and leaves some gaps for future use Counteraction: linking a longer sequence

Removing TTP: using Distributed hash table –Alice uses Hn as seed to generate a group of node ID using a pseudo random number generator –Alice sends out Hn to these nodes –These nodes will sign with their digital signatures and send it back –Alice can use these signatures to prove the timestamp

Why it is difficult for Alice to collude with all these nodes? –The node IDs are generated through a pseudo random number generator based on Hn, Alice cannot predict those IDs –Similar ideas have been used in P2P systems and location-based routing for wireless networks

The generation of a hash tree –Need to timestamp a large number of files –Using the hash values to construct a tree –Publish only the root of the tree –Provide corresponding entries in the tree to the end users so that they can verify

Bit commitment Alice needs to commit a prediction which will not be revealed until later. Bob needs to make sure that Alice cannot change it. How can we do that? Example: –Picking stocks: who will go first? –Be careful of the forward search attack –Attack to such commitment: racing horses Why this attack can be conducted: limited commitment space

Bit commitment using symmetric encryption –Bob generates a random number R and sends to Alice –Alice generates a secret session key k, send back E_k(R, committed bit) –Bob does not know k, so cannot recover the bit –Later Alice reveals the key so Bob can verify it

Problems of bit commitment using symmetric key encryption –Why E_k(b) cannot commit the bit? –If Bob does not provide the random number, Alice can decrypt the same cipher-text with different keys and generate one ended with “1” and the other ended with “0” –How about Alice generates R A and tells Bob? For example E_k(R A, b) –It is very difficult for Alice to find two different keys that can generate the same cipher-text with E_k(R, “0”) and E_k’(R, “1”). However, allowing Alice to generate R A will allow her to do pre-computation.

Bit commitment using one-way function –Can we use Hash(R A, b) to commit a bit? If Alice does not tell Bob R A, forward search by Alice If Alice tells Bob R A, Bob can figure out the bit –A better protocol: Alice generates two random numbers, R1 and R2 Alice sends (R1, Hash(R1, R2, b)) to Bob to commit the bit –Why we need R1 in plain text? –Why do we need R2 in cipher-text? Later, Alice gives Bob R1, R2, and b to verify

The advantage of this protocol: –Bob does not need to send anything –It is very difficult to find Hash(R1, R2, “0”) = Hash(R1, R2’, “1”) if R1 is long enough and the one way function has been properly designed

Fair coin flip in digital world –It is different from the real world, where both parties can see the coin –The properties we need: Alice flips the coin before Bob guesses Alice cannot change the result after Bob guesses Bob cannot “see” the result before taking the guess –It seems that bit commitment can solve this problem

Coin flip using bit commitment –Alice commits to a bit using one of the previous protocols –Bob guesses the value of the bit –If right, Bob wins, if wrong, Alice wins –After the guess, Bob must be able to verify the result

Coin flip using one-way functions –Alice generates a random number X, and sends Hash(X) to Bob –Bob guess whether X is odd or even –If Bob guesses right, Bob wins, otherwise, Alice wins –Alice reveals X so that Bob can verify. –If Alice can find two numbers (one odd, one even) having the same hash result, she can control the result every time.

Coin flip using commutative encryption (where E_k1(E_k2(msg)) = E_k2(E_k1(msg)) –Alice generates two messages, (R1, Head), (R2, Tail), sends E_k1(m1) and E_k1(m2) to Bob –Bob selects one message and sends back E_k2(E_k1(m)), Alice does not know which one Bob choose –Alice decrypts the message and sends back to Bob, Bob decrypts it again and tells Alice the random number and the result –Alice and Bob reveal their keys to verify the result

Coin flip using commutative encryption –Can Bob cheat? Not if he cannot guess the random string –Can Alice cheat? Send both messages with Head. But later when they reveal the key, Alice will be caught. Alice can lie about the value of R1 and R2: Bob can ask for their hash values before the messages are sent An application of coin flip: –Generate session keys in a collaborative method where no party has a total control –We can flip multiple bits simultaneously

Mental poker: play card on network –Commutative encryption methods will be used –Every party re-encrypt and shuffle the cards to prevent cheating –Example of 3 nodes to play poker

Anonymous key distribution using commutative encryption –Some nodes do not have enough resources to generate secure session keys –A Key Distribution Center will generate keys. But we want to make sure that KDC does not know which key is used by which node. –Solution: commutative encryption

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.