Slide 1 Vitaly Shmatikov CS 378 Public-Key Authentication and Public-Key Infrastructure.

Slides:



Advertisements
Similar presentations
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Advertisements

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
Public Key Infrastructure (PKI)
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
1 ISA 562 Information Systems Theory and Practice 10. Digital Certificates.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Public Key Management and X.509 Certificates
More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.
Report on Attribute Certificates By Ganesh Godavari.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.
Chapter 5 Network Security Protocols in Practice Part I
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
Slide 1 Many slides from Vitaly Shmatikov, UT Austin Public-Key Infrastructure CNS F2006.
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
1 Authentication Applications Digital Signatures Security Concerns X.509 Authentication Service Kerberos Based on slides by Dr. Lawrie Brown of the Australian.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
Slide 1 Vitaly Shmatikov CS 378 Key Establishment Pitfalls.
CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Topic 11: Key Distribution and Agreement 1 Information Security CS 526 Topic 11: Key Distribution & Agreement, Secure Communication.
Key Distribution CS 470 Introduction to Applied Cryptography
Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.
Security Management.
1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Computer Science Public Key Management Lecture 5.
Part Two Network Security Applications Chapter 4 Key Distribution and User Authentication.
Secure r How do you do it? m Need to worry about sniffing, modifying, end- user masquerading, replaying. m If sender and receiver have shared secret.
ECE454/599 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2012.
Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
NENA Development Conference | October 2014 | Orlando, Florida Security Certificates Between i3 ESInet’s and FE’s Nate Wilcox Emergicom, LLC Brian Rosen.
SECURITY MANAGEMENT Key Management in the case of public-key cryptosystems, we assumed that a sender of a message had the public key of the receiver at.
1 Chapter 9: Key Management All algorithms we have introduced are based on one assumption: keys have been distributed. But how to do that? Key generation,
CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure.
23-1 Last time □ P2P □ Security ♦ Intro ♦ Principles of cryptography.
Authentication 3: On The Internet. 2 Readings URL attacks
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian
Fall 2010/Lecture 321 CS 426 (Fall 2010) Key Distribution & Agreement.
Digital Signatures, Message Digest and Authentication Week-9.
Protocols for public-key management. Key management –two problems Distribution of public keys (for public- key cryptography) Distribution of secret keys.
X.509 Topics PGP S/MIME Kerberos. Directory Authentication Framework X.509 is part of the ISO X.500 directory standard. used by S/MIME, SSL, IPSec, and.
Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
1 Chapter 10: Key Management in Public key cryptosystems Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Modified by Prof. M. Singhal,
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Network Security Continued. Digital Signature You want to sign a document. Three conditions. – 1. The receiver can verify the identity of the sender.
Computer and Network Security - Message Digests, Kerberos, PKI –
Cryptography and Network Security Chapter 14
Key Management. Authentication Using Public-Key Cryptography  K A +, K B + : public keys Alice Bob K B + (A, R A ) 1 2 K A + (R A, R B,K A,B ) 3 K A,B.
Digital Signatures and Digital Certificates Monil Adhikari.
Key Management Network Systems Security Mort Anvari.
Lecture 11 Overview. Digital Signature Properties CS 450/650 Lecture 11: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
1 Public Key Infrastructure Dr. Rocky K. C. Chang 25 February, 2002.
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
1 Public Key Infrastructure Rocky K. C. Chang 6 March 2007.
Mar 28, 2003Mårten Trolin1 This lecture Certificates and key management Non-interactive protocols –PGP SSL/TLS –Introduction –Phases –Commands.
Fall 2006CS 395: Computer Security1 Key Management.
1 Chapter 3-3 Key Distribution. 2 Key Management public-key encryption helps address key distribution problems have two aspects of this: –distribution.
Pertemuan #8 Key Management Kuliah Pengaman Jaringan.
Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.
Key management issues in PGP
CS480 Cryptography and Information Security
Information Security message M one-way hash fingerprint f = H(M)
Digital Certificates and X.509
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
Presentation transcript:

slide 1 Vitaly Shmatikov CS 378 Public-Key Authentication and Public-Key Infrastructure

slide 2 fresh random challenge C Authentication with Public Keys Alice Bob PRIVATE KEY PUBLIC KEY “I am Alice” sig Alice (C) Verify Alice’s signature on c 1.Only Alice can create a valid signature 2.Signature is on a fresh, unpredictable challenge Potential problem: Alice will sign anything

slide 3 Mafia-in-the-Middle Attack [from Anderson’s book] customer XXX Adult entertainment Over 21 only! Mafia porn site Picture 143! Bank Buy 10 gold coins Sign ‘X’ Prove your age by signing ‘X’ sig K (x) PRIVATE KEY K sig K (x)

slide 4 Early Version of SSL (Simplified) AliceBob encrypt PublicKey(Bob) (“Alice”, K AB ) encrypt K AB (“Alice”, sig Alice (N B )) fresh session key encrypt K AB (N B ) fresh random number uBob’s reasoning: I must be talking to Alice because… Whoever signed N B knows Alice’s private key… Only Alice knows her private key… Alice must have signed N B … N B is fresh and random and I sent it encrypted under K AB … Alice could have learned N B only if she knows K AB … She must be the person who sent me K AB in the first message...

slide 5 Breaking Early SSL Alice encrypt PK(Charlie) (“Alice”,K AC ) enc K AC (“Alice”, sig Alice (N B )) Charlie (with an evil side) Bob encrypt PK(Bob) (“Alice”,K CB ) encrypt K CB (N B ) encrypt K AC (N B ) encrypt K CB (“Alice”, sig Alice (N B )) This signature says that it was created by Alice, but not why or for whom uCharlie uses his legitimate conversation with Alice to impersonate Alice to Bob Information signed by Alice is not sufficiently explicit

slide 6 Authenticity of Public Keys ? Problem: How does Alice know that the public key she received is really Bob’s public key? private key Alice Bob public key Bob’s key

slide 7 Distribution of Public Keys uPublic announcement or public directory Risks: forgery and tampering uPublic-key certificate Signed statement specifying the key and identity –sig Alice (“Bob”, PK B ) uCommon approach: certificate authority (CA) Single agency responsible for certifying public keys After generating a private/public key pair, user proves his identity and obtains CA’s certificate (offline) Every computer is pre-configured with CA’s public key and can verify certificates signed by CA

slide 8 Using Public-Key Certificates Authenticity of public keys is reduced to authenticity of one key (CA’s public key)

slide 9 Hierarchical Approach uSingle CA certifying every public key is impractical uInstead, use a trusted root authority For example, Verisign Everybody must know the public key for verifying root authority’s signatures uRoot authority signs certificates for lower-level authorities, lower-level authorities sign certificates for individual networks, and so on Instead of a single certificate, use a certificate chain –sig Verisign (“UT Austin”, PK UT ), sig UT (“Vitaly S.”, PK V ) What happens if root authority is ever compromised?

slide 10 Alternative: “Web of Trust” uUsed in PGP (Pretty Good Privacy) uInstead of a single root certificate authority, each person has a set of keys they “trust” If public-key certificate is signed by one of the “trusted” keys, the public key contained in it will be deemed valid uTrust can be transitive Can use certified keys for further certification Alice Friend of Alice Friend of friend Bob sig Alice (“Friend”, Friend’s key) sig Friend (“FoaF”, FoaF’s key) I trust Alice

slide 11 X.509 Authentication Service uInternet standard ( ) uSpecifies certificate format X.509 certificates are used in IPSec and SSL/TLS uSpecifies certificate directory service For retrieving other users’ CA-certified public keys uSpecifies a set of authentication protocols For proving identity using public-key signatures uDoes not specify crypto algorithms Can use it with any digital signature scheme and hash function, but hashing is required before signing

slide 12 X.509 Certificate Added in X.509 versions 2 and 3 to address usability and security problems (read Stallings 4.2)

slide 13 Certificate Revocation uRevocation is very important uMany valid reasons to revoke a certificate Private key corresponding to the certified public key has been compromised User stopped paying his certification fee to this CA and CA no longer wishes to certify him CA’s certificate has been compromised! uExpiration is a form of revocation, too Many deployed systems don’t bother with revocation Re-issuance of certificates is a big revenue source for certificate authorities

slide 14 Certificate Revocation Mechanisms uOnline revocation service When a certificate is presented, recipient goes to a special online service to verify whether it is still valid –Like a merchant dialing up the credit card processor uCertificate revocation list (CRL) CA periodically issues a signed list of revoked certificates –Credit card companies used to issue thick books of canceled credit card numbers Can issue a “delta CRL” containing only updates uQuestion: does revocation protect against forged certificates?

slide 15 X.509 Certificate Revocation List Because certificate serial numbers must be unique within each CA, this is enough to identify the certificate

slide 16 X.509 Version 1 AliceBob “Alice”, sig Alice (Time Alice, “Bob”, encrypt PublicKey(Bob) (message)) uEncrypt, then sign for authenticated encryption Goal: achieve both confidentiality and authentication E.g., encrypted, signed password for access control uDoes this work?

slide 17 Attack on X.509 Version 1 AliceBob “Alice”, sig Alice (Time Alice, “Bob”, encrypt PublicKey(Bob) (password)) uReceiving encrypted password under signature does not mean that the sender actually knows the password! uProper usage: sign, then encrypt Attacker extracts encrypted password and replays it under his own signature “Charlie”, sig Charlie (Time Charlie, “Bob”, encrypt PublicKey(Bob) (password))

slide 18 Denning-Sacco Protocol AliceBob “I’m Alice”, cert Alice, cert Bob, encrypt PublicKey(Bob) (sig Alice (Time Alice, K AB )) uGoal: establish a new shared key K AB with the help of a trusted certificate service Certificate server “Alice”, “Bob” cert Alice, cert Bob

slide 19 Attack on Denning-Sacco Alice Charlie (with an evil side) “I’m Alice”, cert Alice, cert Charlie, encrypt PublicKey(Charlie) (sig Alice (Time Alice, K AC )) uAlice’s signature is insufficiently explicit Does not say to whom and why it was sent uAlice’s signature can be used to impersonate her Nothing in this signature says that it was sent to Charlie! Bob “I’m Alice”, cert Alice, cert Bob, encrypt PublicKey(Bob) ( sig Alice (Time Alice, K AC ))

slide 20 Reading Assignment uStallings 3.6 and 4.2

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.