Chapter 9 Cryptographic Protocol Cryptography-Principles and Practice Harbin Institute of Technology School of Computer Science and Technology Zhijun Li.

Slides:



Advertisements
Similar presentations
1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.
Advertisements

COS 461 Fall 1997 Todays Lecture u intro to security in networking –confidentiality –integrity –authentication –authorization u orientation for assignment.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
7. Asymmetric encryption-
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 29 Cryptography and Network.
UCB Security Jean Walrand EECS. UCB Outline Threats Cryptography Basic Mechanisms Secret Key Public Key Hashing Security Systems Integrity Key Management.
ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
More on AuthenticationCS-4513 D-term More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.
EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.
Protocol Building Blocks 1.Protocols are multi-agent algorithms 2.Agents know protocol 3.Protocol unambiguous, well-defined 4.Protocol complete, action.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Introduction to Modern Cryptography, Lecture 9 More about Digital Signatures and Identification.
1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.
Diffie-Hellman Key Exchange
Computer Science CSC 774Dr. Peng Ning1 CSC 774 Advanced Network Security Topic 2. Review of Cryptographic Techniques.
CSCI 172/283 Fall 2010 Public Key Cryptography. New paradigm introduced by Diffie and Hellman The mailbox analogy: Bob has a locked mailbox Alice can.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Lecture 6: Public Key Cryptography
Computer Science Public Key Management Lecture 5.
Introduction to Public Key Cryptography
Public Key Model 8. Cryptography part 2.
1 CIS 5371 Cryptography 8. Asymmetric encryption-.
Strong Password Protocols
Page 1 Secure Communication Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
Network and Communications Network Security Department of Computer Science Virginia Commonwealth University.
Chapter 4: Intermediate Protocols
Authentication and Authorization Authentication is the process of verifying a principal’s identity (but how to define “identity”?) –Who the person is –Or,
Lecture 11: Strong Passwords
Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there.
Key Agreement Guilin Wang School of Computer Science 12 Nov
Fall 2004/Lecture 201 Cryptography CS 555 Lecture 20-b Zero-Knowledge Proof.
Chapter 3: Basic Protocols Dulal C. Kar. Key Exchange with Symmetric Cryptography Session key –A separate key for one particular communication session.
Key Management Celia Li Computer Science and Engineering York University.
Using Cryptography for Network Security Common problems: –Authentication - A and B want to prove their identities to one another –Key-distribution - A.
Software Security Seminar - 1 Chapter 5. Advanced Protocols 조미성 Applied Cryptography.
PUBLIC-KEY CRYPTOGRAPH IT 352 : Lecture 2- part3 Najwa AlGhamdi, MSc – 2012 /1433.
Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.
Digital Signatures, Message Digest and Authentication Week-9.
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
Protocols Chapter 2 Protocol: A series of steps, involving two or more parties, designed to accomplish a task. All parties involved must know the protocol.
1 Needham-Schroeder A --> S: A,B, N A S --> A: {N A,B,K AB,{K AB,A} KBS } KAS A --> B:{K AB,A} KBS B --> A:{N B } KAB A --> B:{N B -1} KAB.
Using Cryptography for Network Security Common problems: –Authentication - A and B want to prove their identities to one another –Key-distribution - A.
15-499Page :Algorithms and Applications Cryptography I – Introduction – Terminology – Some primitives – Some protocols.
Secure Communication between Set-top Box and Smart Card in DTV Broadcasting Authors: T. Jiang, Y. Hou and S. Zheng Source: IEEE Transactions on Consumer.
A A E E D D C C B B # Symmetric Keys = n*(n-1)/2 F F
1 Chapter 10: Key Management in Public key cryptosystems Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Modified by Prof. M. Singhal,
The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Authentication Protocols (I): Secure Handshake.
1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007.
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
Diffie-Hellman Key Exchange first public-key type scheme proposed by Diffie & Hellman in 1976 along with the exposition of public key concepts – note:
Introduction to Elliptic Curve Cryptography CSCI 5857: Encoding and Encryption.
Chapter 3 Basic Protocols. 3.1 Key Exchange n Session Key - Why? n Key Exchange with Symmetric Cryp. KDC request E KA (K AB ), E KB (K AB ) E KB (K AB.
1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007.
Software Security Seminar - 1 Chapter 2. Protocol Building Blocks 발표자 : 최두호 Applied Cryptography.
CS480 Cryptography and Information Security Huiping Guo Department of Computer Science California State University, Los Angeles 14. Digital signature.
Presentation transcript:

Chapter 9 Cryptographic Protocol Cryptography-Principles and Practice Harbin Institute of Technology School of Computer Science and Technology Zhijun Li

Zhijun LiS /Autumn08/HIT2 Outline Structure of Cryptographic Protocol Cryptographic Protocols –Key Establishment Protocols –Authentication Protocols Zero Knowledge Protocol

Zhijun LiS /Autumn08/HIT3 Protocol Review Protocol: –Rules that detail the interaction between parties in a communication Note: –A series of steps –At least two Parties (normally 2 or 3 parties) –In Communication Cryptographic protocol: –Using cryptography for security

Zhijun LiS /Autumn08/HIT4 Requirements of Protocol Every parties know the steps to complete the protocol primarily Every parties must follow the protocol Each step must be defined explicitly and can not be misunderstood The protocol must be complete, and define the actions for every possible cases

Zhijun LiS /Autumn08/HIT5 Arbitration Protocol Note: –The protocol can work only with arbitrator –Arbitrator is always trusted (condition) –Example: Alice  car Lawyer; Bob  money Lawyer; Lawyer  money Alice; Lawyer  car Bob; Alice Bob Trent Arbitrator

Zhijun LiS /Autumn08/HIT6 Verdict Protocol Note: –The protocol work without judge –Verdict is introduced if disputation arisen –Example: Alice, Bob  self Lawyer; Bob  evidence Lawyer; Alice  evidence Lawyer; Judge decide Alice Bob Trent Judge Evidence

Zhijun LiS /Autumn08/HIT7 Self-enforcing Protocol Note: –The protocol work only with Alice and Bob –Security is assured by protocol design –Example: Alice  A Bob; Bob  B Alice; Alice compute; Bob compute; Alice  AB Bob; Bob  BA Alice; Alice Bob

Zhijun LiS /Autumn08/HIT8 Attack to the Protocol Passive attack –Can eavesdrop the information in communication –Can eavesdrop the information in computer Active attack –Can modify the information in communication –Can modify the information in computer –Can personate the parties –Some parties may not abide the protocol

Zhijun LiS /Autumn08/HIT9 Outline Structure of Cryptographic Protocol Cryptographic Protocols –Key Establishment Protocols –Authentication Protocols Zero Knowledge Protocol

Zhijun LiS /Autumn08/HIT10 Key Establishment Protocols Key distribution protocols –Distributed by a trusted authority (TA) –Example: Needham-Schroeder protocol Key agreement protocols –Key can be established without TA –Example: Diffie-Hellman key agreement protocol

Zhijun LiS /Autumn08/HIT11 Needham-Schroeder Protocol Alice  Trent: A, B, R A –A is Alice’s name, B is the name of Bob, R A is a random number Trent  Alice: E A (R A, B, K, E B (K, A)) –K is the session key –E A and E B is the encryption using A’s key and B’s key Alice  Bob: E B (K, A) –After decrypt above message Bob  Alice : E K (R B ) –R B is a random number Alice  Bob: E B (R B -1) Bob verify the R B -1

Zhijun LiS /Autumn08/HIT12 Needham-Schroeder Remark R A,R B, and R B -1 can prevent replay attack BUT Mallory can store old K –Mallory  Bob: E B (K, A) –Bob  “Alice”(Mallory) : E K (R B ) R B is a random number –Mallory  Bob: E B (R B -1) –Bob verify the R B -1 –Mallory can impersonate the Alice

Zhijun LiS /Autumn08/HIT13 Otway-Rees Protocol Idea: add timestamp Alice  Bob: I, A, B, E A (R A, I, A, B) –I the index number Bob  Trent: I, A, B, E A (R A, I, A, B), E B (R A, I, A, B) Trent  Bob: I, E A (R A, K), E B (R B, K) –After decrypt above message Bob  Alice : I, E A (R A, K) –R B is a random number Alice verify the I and R B

Zhijun LiS /Autumn08/HIT14 Diffie-Hellman key Agreement Exchanging secret key over public channel Key Exchange protocol –Select public parameters p,  and n p is prime and  is of order n in Z p * –Alice selects random b privately and Alice  Bob [  b mod p] –Bob selects random c privately and Bob  Alice [  c mod p] –Alice and Bob compute  bc mod p (shared secret key) Bob, Alice’s key is  bc

Zhijun LiS /Autumn08/HIT15 Example of DH Exchange Global known P= and  =2 Alice choose b=12345 and send Bob [B=  b mod p= ] Bob choose c= and send Alice [C=  c mod p= ] Alice compute the secret key as C b mod p= Bob compute the secret key as B c mod p= So the secret key between Alice and Bob is

Zhijun LiS /Autumn08/HIT16 Security of DH Security of the Diffie-Hellman key exchange protocol based on the CDH problem Computational Diffie-Hellman (CDH) –Given group (G, *), an element g with order q, given g x and g y, find g xy DLP is at least as hard as CDH Solves CDH can be used to decrypt ElGamal

Zhijun LiS /Autumn08/HIT17 CDH and ElGamal Any algorithm that solves CDH can be used to decrypt ElGamal ciphertexts Intuition: –Decrypt (c 1 =g k,c 2 = m  k ) is equivalent to compute  k –Knows c 1 =g k,  =g a, and needs to compute g ka Proof: –Assume that algorithm OracleCHD solves CDH –Let (c 1, c 2 ) be an ElGamal ciphertext –Let  = g a, c 2 = g k mod p, c 2 = m(g a ) k mod p –y = OracleCDH(g, , c 1 ) –m = c 2 y -1

Zhijun LiS /Autumn08/HIT18 Man-in-the-middle Attack There is a Man in the middle attack Need to be careful who you are agreeing a key with Alice Bob Eve a gaga gmgm m n gngn gbgb b g am g bn

Zhijun LiS /Autumn08/HIT19 Diffie-Hellman is NOT Enough How does Alice know who she is agreeing a key with, is it Bob or Eve? Using signature: –Alice signs her message to Bob –Bob signs his message to Alice –In that way both parties know who they are talking to

Zhijun LiS /Autumn08/HIT20 For Public Key Establishment Above is private key establishment For public key establishment: –Intuition: the distribution of public is secure –But: there is man-in-the-middle attack Alice Bob Mallory K PA K PM K PB K PM KDC

Zhijun LiS /Autumn08/HIT21 Interlock Protocol Alice  Bob: K PA Bob  Alice: K PB Alice  Bob: Half 1 (E K PB (M)) –After decrypt above message Bob  Alice : Half 1 (E K PA (M)) Alice  Bob: Half 2 (E K PB (M)) Bob combine the Half 1 and Half 2 and decrypt Bob  Alice : Half 2 (E K PA (M)) Alice combine the Half 1 and Half 2 and decrypt

Zhijun LiS /Autumn08/HIT22 Outline Structure of Cryptographic Protocol Cryptographic Protocols –Key Establishment Protocols –Authentication Protocols Zero Knowledge Protocol

Zhijun LiS /Autumn08/HIT23 Authentication Protocol Goal: two parties authenticate each other Example: –Alice want to login into a computer Hashing + salt SKEY –Alice and Bob want to authenticate each other SKID (MAC) Protocol DASS Protocol

Zhijun LiS /Autumn08/HIT24 SKEY Computer compute f(R), f(f(R)), … 100 times In computer’s database: Alice+x 101 Alice store x 1, x 2, x 3, …, x th login: –Alice input her name and x 100 –Computer compute f(x 100 ) –Computer replace the x 101 by x 100 in database –Alice delete x 100 from her list 2 th login: –Alice input the last x i in her list

Zhijun LiS /Autumn08/HIT25 SKID Alice  Bob: R A –R A is Random number Bob  Alice: R B, H K (R A, R B, B) –H K is the MAC Alice compute H K (R A, R B, B) and check –At this step, Alice can authenticate Bob Alice  Bob: H K (R B, A) Bob compute H K (R B, A) and check –At this step, Bob can authenticate Alice –Also exist man-in-the-middle attack

Zhijun LiS /Autumn08/HIT26 DASS DASS: Distributed Authentication Security Service Alice  Trent: B Trent  Alice: K PB, Sig K ST (B, K PB ) Alice  Bob: E K (T A ), E K PB (L, A, K PP ), Sig K SA (L, A, K PP ), E K PB (K), Sig K SP (E K PB (K)) –K is the session key; T A is the timestamp; L is the life of key, K PP /K SP are a pair of public/private key Bob  Trent: A Trent  Alice: K PA, Sig K ST (A, K PA ) Bob verifies them Bob  Alice: E K (T B ) Alice check T B

Zhijun LiS /Autumn08/HIT27 Outline Structure of Cryptographic Protocol Cryptographic Protocols –Key Establishment Protocols –Authentication Protocols Zero Knowledge Protocol

Zhijun LiS /Autumn08/HIT28 Zero Knowledge Protocol Motivation: –When Alice authenticates to a server, she gives her password, but the server can then impersonate her –Alice can prove her is “Alice”, but she gives the computer zero knowledge –Zero-knowledge protocol: Allows a prover to prove that he posses a secret without revealing any information when verifying –Normally use challenge-response protocol

Zhijun LiS /Autumn08/HIT29 Zero Knowledge Proof of Identity Alice’s secret key is the function of her “Identity” –Through zero-knowledge proof, she can prove that she knows her secret key –Fiat-Shamir Identity Protocol

Zhijun LiS /Autumn08/HIT30 Fiat-Shamir Identity Protocol System parameter: n=pq Public identity: v (v is a quadratic residue mod n) Private authenticator: s  sqrt(v -1 ) mod n Protocol (repeat t times): –Alice picks random r in Z n * –Alice  Bob: x=r 2 mod n –Bob checks x  0 –Bob  Alice: random c in {0,1} –Bob  Alice: y, if c=0, y=r; if c=1, y=rs mod n –Bob accept: if c=0, x=r 2 mod n; if c=1, x  y 2 v mod n Identity Know Identity

Zhijun LiS /Autumn08/HIT31 Security Fiat-Shamir Protocol If Alice does not know s, she can cheat Bob with prob. ½ –t times: the probability is 1/2 t r can not be used twice –If used, Bob may be compute the s by s=r -1 y –Not zero-knowledge Bob can impersonate Alice with prob. ½ –t times: the probability is 1/2 t

Zhijun LiS /Autumn08/HIT32 Parallel Fiat-Shamir Protocol System parameter: n=pq Public identity: v 1,…,v k (v i is a quadratic residue mod n) Private authenticator: s i  sqrt(v i -1 ) mod n Protocol (repeat t times): –Alice picks random r in Z n * –Alice  Bob: x=r 2 mod n –Bob checks x  0 –Bob  Alice: a random {0,1} bit string b 0,b 1,…,b k –Bob  Alice: y=r  (s 1 b 1  s 2 b 2  …  s k b k ) mod n –Bob accept: if x  y 2  (v 1 b 1  v 2 b 2  …  v k b k ) mod n

Zhijun LiS /Autumn08/HIT33 Fiat-Shamir Protocol Example N=35=5  7 –Alice  Bob: x=r 2 =16 2 mod 35 =11 –Bob  Alice: {0,1} string {1, 1, 0, 1} –Bob  Alice: y=16  (3 1  4 1  9 0  8 1 ) mod 35 = 31 –Bob accept: if 11  31 2  (4 1  11 1  16 0  29 1 ) mod 35 vv -1 s=sqrt(v -1 )

Zhijun LiS /Autumn08/HIT34 Summary Structure of Cryptographic Protocol –Arbitration Protocol –Verdict Protocol –Self-enforcing Protocol Cryptographic Protocols –Key Establishment Protocols –Authentication Protocols –Zero Knowledge Protocol

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.