Oct 28, 2004WPES 20041 Off-the-Record Communication, or, Why Not to Use PGP Nikita Borisov Ian Goldberg Eric Brewer.

Slides:



Advertisements
Similar presentations
The Diffie-Hellman Algorithm
Advertisements

1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.
17 May Multiple Sites. 17 May Multiple Sites This presentation assumes you are already familiar with Doors and all its standard commands It.
© Pearson Education Limited, Chapter 8 Normalization Transparencies.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Privacy in signatures. Hiding in rings, hiding in groups.
Off-the-Record Communication, or, Why Not To Use PGP
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
18-1 Last time Internet Application Security and Privacy  Transport-layer security and privacy: TLS / SSL, Tor The Nymity Slider  Application-layer security.
Information Security & Cryptographic Principles. Infosec and Cryptography Subjects / Topics : 1. Introduction to computer cryptography 1. Introduction.
PGP Overview 2004/11/30 Information-Center meeting peterkim.
15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.
Copyright Justin Klein Keane InfoSec Training Encryption.
1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
Class on Security Raghu. Current state of Security Cracks appear all the time Band Aid solutions Applications are not designed properly OS designs are.
ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.
Chap 3: Key exchange protocols In most systems, we distinguish the short term keys from the long term ones: –A short term key (session key) is used to.
1 CPSC156: The Internet Co-Evolution of Technology and Society Lectures 19,20, and 21: April 5, 10, and 12, 2007 Cryptographic Primitives.
Computer Science Public Key Management Lecture 5.
Cryptography 101 Frank Hecker
Csci5233 Computer Security1 Bishop: Chapter 10 Key Management: Digital Signature.
Page 1 Secure Communication Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.
Pretty Good Privacy by Philip Zimmerman presented by: Chris Ward.
Secure r How do you do it? m Need to worry about sniffing, modifying, end- user masquerading, replaying. m If sender and receiver have shared secret.
25-1 Last time □ Firewalls □ Attacks and countermeasures □ Security in many layers ♦ PGP ♦ SSL ♦ IPSec.
SSL and https for Secure Web Communication CSCI 5857: Encoding and Encryption.
Security+ All-In-One Edition Chapter 14 – and Instant Messaging Brian E. Brzezicki.
COEN 351 E-Commerce Security Essentials of Cryptography.
Public-Key Cryptography CS110 Fall Conventional Encryption.
Introduction1-1 Data Communications and Computer Networks Chapter 6 CS 3830 Lecture 31 Omar Meqdadi Department of Computer Science and Software Engineering.
Internet Security. 2 PGP is a security technology which allows us to send that is authenticated and/or encrypted. Authentication confirms the identity.
1 Information Security Practice I Lab 5. 2 Cryptography and security Cryptography is the science of using mathematics to encrypt and decrypt data.
Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.
Pretty Good Privacy (PGP) Security for Electronic .
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Digital Signatures, Message Digest and Authentication Week-9.
Lecture 2: Introduction to Cryptography
Security Using PGP - Prajakta Bahekar. Importance of Security is one of the most widely used network service on Computer Currently .
14-1 Last time Internet Application Security and Privacy Basics of cryptography Symmetric-key encryption.
COEN 351 E-Commerce Security
Network Security Continued. Digital Signature You want to sign a document. Three conditions. – 1. The receiver can verify the identity of the sender.
Group 9 Chapter 8.3 – 8.6. Public Key Algorithms  Symmetric Key Algorithms face an inherent problem  Keys must be distributed to all parties but kept.
Digital Signatures and Digital Certificates Monil Adhikari.
Key Management Network Systems Security Mort Anvari.
M2 Encryption techniques Gladys Nzita-Mak. What is encryption? Encryption is the method of having information such as text being converted into a format.
Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.
CMSC 414 Computer and Network Security Lecture 2 Jonathan Katz.
Network Security and It’s Issues
25-1 Last time □ Firewalls □ Attacks and countermeasures □ Security in many layers ♦ PGP ♦ SSL ♦ IPSec.
Key management issues in PGP
Cryptography CS 555 Topic 34: SSL/TLS.
Basics of Cryptography
Secure Sockets Layer (SSL)
Basic Network Encryption
Introduction to security goals and usage of cryptographic algorithms
Digital Signatures Last Updated: Oct 14, 2017.
CS 465 TLS Last Updated: Oct 31, 2017.
Public Key Infrastructure
OTR AKE Protocol.
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
Security through Encryption
OTR: Off-the-record Communication
Basic Network Encryption
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
Security: Integrity, Authentication, Non-repudiation
Presentation transcript:

Oct 28, 2004WPES Off-the-Record Communication, or, Why Not to Use PGP Nikita Borisov Ian Goldberg Eric Brewer

Oct 28, 2004WPES Our Scenario Communication privacy is a complicated problem Simplifying assumptions –Alice and Bob both know how to use PGP –They both know each others public keys –They dont want to hide the fact that they talked, just what they talked about

Oct 28, 2004WPES Solved Problem Alice uses her public key to sign a message –Bob should know who hes talking to She then uses Bobs public key to encrypt it –No one other than Bob can read the message Bob decrypts it and verifies the signature Pretty Good, no?

Oct 28, 2004WPES Threat Model The Internet Alice Bob Bad Guys

Oct 28, 2004WPES Plot Twist Bobs computer is stolen by bad guys –Criminals, competitors –Subpoenaed by the FBI Or just broken into –Virus, trojan, spyware, black bag job All his key material is recovered –Oh no!

Oct 28, 2004WPES Bad guys can… Decrypt past messages Learn their content Learn that Alice sent them –And have a mathematical proof they can show to anyone else How private is that?

Oct 28, 2004WPES What went wrong? Bobs computer got stolen? How many of you have never… –Left your laptop unattended? –Not installed the latest patches? –Run software with a remotely exploitable bug? What about your parents?

Oct 28, 2004WPES What Really Went Wrong The software created lots of incriminating records –Key material that decrypts data sent over the public Internet –Signatures with proofs of who said what Alice better watch what she says –Her privacy depends on Bobs actions

Oct 28, 2004WPES Casual Conversations Alice and Bob talk in a room No one else can hear –Unless being recorded No one else knows what they say –Unless Alice or Bob tell them No one can prove what was said –Not even Alice or Bob

Oct 28, 2004WPES We Like Casual Conversations Legal support for having them –Illegal to record conversations without notification We can have them over the phone –Illegal to tap phone lines But what about over the Internet?

Oct 28, 2004WPES Crypto Tools We have the tools to do this –Weve just been using the wrong ones –(when weve been using crypto at all) We want perfect forward secrecy We want repudiation

Oct 28, 2004WPES Perfect Forward Secrecy Use a short-lived encryption key Encrypt your data with it Discard it after use –Securely erase from memory Use long-term keys to help distribute & authenticate the short-lived key

Oct 28, 2004WPES Repudiable Authentication Do not want digital signatures –Leave non-repudiation for contracts, not conversations Do want authentication –Cant maintain privacy if attackers can impersonate friends Use Message Authentication Codes (MACs)

Oct 28, 2004WPES MAC Operation Data MAC MK DataMAC MK=? Alice Bob

Oct 28, 2004WPES No Third-Party Proofs Shared key authentication –Alice and Bob have same MK –MK required to compute MAC Bob cannot prove that Alice generated the MAC –He could have done it, too –Anyone who can verify can also forge

Oct 28, 2004WPES Off-the-Record Protocol Rough sketch of protocol –Details in the paper Assume Alice and Bob know each others public keys –These keys are long-lived, but we will only use them as a building block

Oct 28, 2004WPES Step 1: Diffie-Hellman Alice and Bob pick random x, y resp. A->B: g x, Sign Alice (g x ) B->A: g y, Sign Bob (g y ) SS=g xy a shared secret Signatures authenticate the shared secret, not content

Oct 28, 2004WPES Step 2: Message Transmission Compute EK=Hash(SS), MK=Hash(EK) A->B: Enc EK (M), MAC(Enc EK (M),MK) Enc is symmetric encryption (AES) Bob verifies MAC using MK, decrypts M using EK Confidentiality and authenticity is assured

Oct 28, 2004WPES Step 3: Re-key Alice and Bob pick x,y A->B: g x, MAC(g x, MK) B->A: g y, MAC(g y, MK) SS = H(g xy ) EK = H(SS), MK=H(EK) Alice and Bob securely erase SS, x, y, and EK –Perfect forward secrecy

Oct 28, 2004WPES IM implementation Instant messaging suited for casual conversations –Current security options not satisfactory Implemented OTR plugin for GAIM –Multi-platform IM client for Linux, Windows Prototype status –Help us test it!

Oct 28, 2004WPES What about ? OTR protocol is interactive –Requires initial exchange to set up keys Can be used for long-term conversations –Each round is a message –Forward secrecy window days, not minutes Can use ring signatures for first interaction

Oct 28, 2004WPES Conclusion Current software provides the wrong privacy properties for casual conversations We want –Perfect forward secrecy –Repudiability Use our OTR protocol –

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.