SeND Hash Threat Analysis CSI WG Ana Kukec, Suresh Krishnan, Sheng Jiang.

Slides:

Advertisements

Similar presentations

Public Key Infrastructure and Applications

Advertisements

A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,

Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.

Technical Presentation AIAC Group 11. System Rationale System Architecture Secure Channel Establishment Username/Password Cartão Cidadão Digital.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Digital Signatures and Hash Functions. Digital Signatures.

© 2007 Levente Buttyán and Jean-Pierre Hubaux Security and Cooperation in Wireless Networks Chapter 4: Naming and addressing.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Chapter 13 – Digital Signatures & Authentication Protocols Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Lecture 5: security: PGP Anish Arora CIS694K Introduction to Network Security.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CSE331: Introduction to Networks and Security Lecture 21 Fall 2002.

Chapter 3 Encryption Algorithms & Systems (Part C)

A Lightweight Hop-by-Hop Authentication Protocol For Ad- Hoc Networks Speaker: Hsien-Pang Tsai Teacher: Kai-Wei Ke Date:2005/01/20.

Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.

CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.

E- Business Digital Signature Varna Free University Prof. Teodora Bakardjieva.

Overview of Digital Signatures Introduction To Networks and Communications (CS 555) Presented by Bharath Kongara.

Network Security Chapter Computer Networks, Fifth Edition by Andrew Tanenbaum and David Wetherall, © Pearson Education-Prentice Hall, 2011.

Masud Hasan Secure Project 1. Secure It uses Digital Certificate combined with S/MIME capable clients to digitally sign and.

By Jyh-haw Yeh Boise State University ICIKM 2013.

Csci5233 Computer Security1 Bishop: Chapter 10 Key Management: Digital Signature.

Chapter 5 Digital Signatures MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI 1.

Bob can sign a message using a digital signature generation algorithm

.Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras.

CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)

Information Security Principles Assistant Professor Dr. Sana’a Wafa Al-Sayegh 1 st Semester ITGD 2202 University of Palestine.

Trust Anchor Management Problem Statement 69 th IETF Trust Anchor Management BOF Carl Wallace.

8-1Network Security Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity, authentication.

MIME Object Security Services (MOSS). Privacy Enhanced Mail (PEM) was the first Internet standard to address security in messages. The MOSS protocol.

Cryptography, Authentication and Digital Signatures

Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there.

4 th lecture.  Message to be encrypted: HELLO  Key: XMCKL H E L L O message 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message + 23 (X) 12 (M) 2 (C) 10 (K) 11.

Introduction1-1 Data Communications and Computer Networks Chapter 6 CS 3830 Lecture 31 Omar Meqdadi Department of Computer Science and Software Engineering.

Ahmad Alsadeh, Augmented SEND: Aligning Security, Privacy, and Usability Dr. Ahmad Alsadeh Birzeit University Palestine.

23-1 Last time □ P2P □ Security ♦ Intro ♦ Principles of cryptography.

Chapter 16 Security Introduction to CS 1 st Semester, 2012 Sanghyun Park.

1 Julien Laganier MEXT WG, IETF-79, Nov Authorizing MIPv6 Binding Update with Cryptographically Generated Addresses

11.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 11 Message Integrity and Message Authentication.

Cryptography and Network Security Chapter 13 Fourth Edition by William Stallings.

Cryptography (2) University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.

Security PGP IT352 | Network Security |Najwa AlGhamdi 1.

Matej Bel University Cascaded signatures Ladislav Huraj Department of Computer Science Faculty of Natural Sciences Matthias Bel University Banska Bystrica.

© 2007 Levente Buttyán and Jean-Pierre Hubaux Security and Cooperation in Wireless Networks Chapter 4: Naming and addressing.

Secure Neighbor Discovery in IPv6 Jari Arkko Ericsson Research James Kempf DoCoMo US Labs.

1 CMPT 471 Networking II Authentication and Encryption © Janice Regan,

Slide title In CAPITALS 50 pt Slide subtitle 32 pt SEND Certificate Profile draft-krishnan-cgaext-send-cert-eku-01 Suresh Krishnan Ana Kukec Khaja Ahmed.

Lecture 11 Overview. Digital Signature Properties CS 450/650 Lecture 11: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.

Security  is one of the most widely used and regarded network services  currently message contents are not secure may be inspected either.

Integrating Identity based Cryptosystem (IBC) with CGA in Mobile IPv6 draft-cao-mipshop-ibc-cga-00.txt Zhen Cao Hui Deng IETF #67.

英文标题 :40-47pt 副标题 :26-30pt 字体颜色 : 反白内部使用字体 : FrutigerNext LT Medium 外部使用字体 : Arial 中文标题 :35-47pt 字体 : 黑体副标题 :24-28pt 字体颜色 : 反白字体 : 细黑体.

2/25/2016CSI WG/IETF761 Open Source Project SEND & Extensions Beijing University of Posts & Telecommunications HUAWEI Yuhong LI (Speaker) Wendong WANG.

CSI WG / IETF741/12 Implementation of SeND/CGA and Extensions Beijing University of Posts and Telecommunications HUAWEI.

Fourth Edition by William Stallings Lecture slides by Lawrie Brown

Suresh Krishnan Secure Proxy ND Suresh Krishnan

Web Applications Security Cryptography 1

Reporter :Chien-Wen Huang

Secure Proxy ND Support for SEND draft-krishnan-csi-proxy-send-00

Trust Anchor Management Problem Statement

S/MIME T ANANDHAN.

Pre-image Resistance: Given a, hard to find b such that ____

Protocol ap1.0: Alice says “I am Alice”

Digital Signatures…!.

Chapter 8 roadmap 8.1 What is network security?

Presentation transcript:

SeND Hash Threat Analysis CSI WG Ana Kukec, Suresh Krishnan, Sheng Jiang

2 / 10 Recent Attacks on Hash Functions Hash algorithm properties: one-way and collision-free –Attacks against one-way property are not feasible yet. –Collision free property is becoming weaker for currently popular hash algorithms. Researchers demonstrated attacks against MD5, SHA-1 and a special construction of PKIX certificates with MD5 signature –Attacks against SHA-1 are not feasible with today's computers, but will be if attacks are improved or Moore's Law continues to make computing power cheaper The conservative security approach is to change hash algorithms or enable hash agility

3 / 10 Impact of These Attacks on SeND We analyze the impact of these attacks on SEND case by case Stateless autoconfiguration (CGAs) –RFC 4982 has analyzed the impact of these attacks on CGA and enabled CGA to support hash agility CGAs don't deal with non-repudiation. CGAs cannot verify the identity of the owner CGAs only provide proof-of-ownership of the private key corresponding to the public key used to generate CGA SeND specification does not require for key pair to be –The node that signes the message creates the message and associated hash –Hence, CGA-based protocols, including SeND, are not affected by collision attacks

4 / 10 Impact of These Attacks on SeND (2) Router authorization (Authorization Delegation Discovery process) –The attacker could generate a false Router Authorization certificate or a false middle certificate with the similar certificate, if he could predict the certificate data. –The most attractive is attack against middle certificates; attacker changes a single certificate and launches attack on a set of routers

5 / 10 –Attacker could produce a false certificate with the same signature, but different public keys We are at least safe from attacks against TA certificate Certificate profile is not yet completely defined, there might be more certificate extensions that are not human readable –Although there have not been performed a demonstrable real-world collision attacks on certificates, such attacks are theoretically possible - future improved attacks could succeed. Impact of These Attacks on SeND (3)

6 / 10 Impact of These Attacks on SeND (4) Digital Signature in the RSA Signature option –The possible attack on explicit digital signature is non- repudiation attack. Attacker could generate a false message with the same hash and sign that false hashed message with authorized private key. –Hard prediction of the useful input data minimizes the possibility to perform a real-world collision attack. –However, a variant of SHA-1 is already affected with recent collision attacks. Future attacks will be improved.

7 / 10 Impact of These Attacks on SeND (5) Key Hash in the RSA Signature option –The message to be hashed is the public key authorized through CGAs or through certification path. Receiver has to verify that the hashed public key (Key Hash) is the same as the public key in the CGA option. Additionally, if receiver has configured Trust Anchors, he would have to verify the certificate path between the Trust Anchor and sender. –Collision attacks against Key Hash do not result in new vulnerabilities Changed key pair used in RSA Signature option will be detected in the process of CGA verification

8 / 10 Summary on the Hash Threat on SeND Hash functions used by SeND: –Collision attacks do not result in new vulnerabilities (in case of CGAs and Key Hash from the RSA Signature option) –or it is difficult (but theretically possible!) to predict input data for hash function, and therefore, to perform a useful real-world collision-attack (in case of Digital Signature in the RSA Signature option and PKIX certificates in ADD process) However, we cannot guarantee the future security of SeND –Recent attacks indicate the possibility of future real-world attacks, particularly in case of Digital Signature in the RSA Signature option and PKIX certificates in ADD process –Attacks always get better; they never get worse.

9 / 10 Support for Hash Agility on SeND Migrating to a new hash algorithm, such as SHA-256, may only solve the problem for a while We are now analyzing how to provide hash agility on SeND –Issues such as backwards compatibility, downgrade protection, etc., are taken into account –We probably need a new ND option In such a way we can not avoid the downgrade attack completely but an attacker would have to break both the hash and signature (ND option is under Digital Signature protection)

10 / 10 Conclusions Attacks are theoretically possible on SeND on both the hash algorithm and the signature algorithm We need hash and signature algorithm agility This needs to be addressed when we update or enhance SeND We will still be vulnerable to bidding-down attacks

11 / 10 Thanks! Questions?