Presentation is loading. Please wait.

Presentation is loading. Please wait.

Attacks on cryptography – Cyphertext, known pltext, chosen pltext, MITM, brute-force Types of ciphers – Mix of substitution and transposition – Monoalphabetic,

Published byAmber Sinnott Modified over 10 years ago

Similar presentations

Presentation on theme: "Attacks on cryptography – Cyphertext, known pltext, chosen pltext, MITM, brute-force Types of ciphers – Mix of substitution and transposition – Monoalphabetic,"— Presentation transcript:

1 Attacks on cryptography – Cyphertext, known pltext, chosen pltext, MITM, brute-force Types of ciphers – Mix of substitution and transposition – Monoalphabetic, homophonic, polygram, polyalphabetic – Symmetric (stream, block), asymmetric RNGs, block cipher modes (ECB, CFC, CFB, OFB) Public key cryptography – Modular exponentiation for encryption/decryption One-way hash functions – Collision-free, collision-resistant MD5, SHA, DES, AES (not on exams) Summary From the Last Lecture

2 Confidentiality, integrity, non-repudiation – M, E(M), H(M), E(H(M)), H(E(M)) – M + H(M) – M + E(H(M)) – M + H(E(M)) – E(M) + H(M) – E(M) + E(H(M)) – E(M) + H(E(M)) When/How to Encrypt/Hash?

3 Chosen paper must talk about cryptography, authentication, authorization or policy – Select from venues listed on the class Web page – Email me your chosen paper to verify it fits the topic Write 2-4 page report – Summary of problem, why is it important and hard, solution summary, evaluation and results, your opinion and your ideas – Originality, clearness, writing style, must have all sections – Proof-read!! – Start now! First Report Due in Three Weeks

4 Key Exchange

5 Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesn’t scale – Need a trusted third party Using public key cryptography (possible) Using specially crafted messages (Diffie Hellman) Using a trusted third party (KDC) – Secrets should never be sent in clear – We should prevent replay attacks – We should prevent reuse of old keys

6  Exchange a secret with someone you never met while shouting in a room full of people  Alice and Bob agree on g and large n  Alice chooses random a, sends  Bob chooses random b, sends  Alice takes Bob’s message and calculates  Bob does the same; now they both know shared secret Diffie Hellman Key Exchange

7 Building up to Needham Schroeder/Kerberos User sends req. to KDC (key distrib. center) KDC generates a shared key: K c,s Keys K KDC,C and K KDC,S are preconfigured No keys ever traverse net in the clear Why are identities in tickets? KDC Based Key Distribution C C KDC S S 3. EK KDC,S {C, K c,s } 2. EK KDC,C {S, K c,s } 1. C, S ticket

8 KDC does not have to talk both to C and S Messages 2 or 3 can be replayed by M – Force C and S to use same secret for a long time – Cause S to have an old ticket, break comm. w C KDC Based Key Distribution C C KDC S S ticket S = EK KDC,S {C, K c,s } 2. EK KDC,C {S, K c,s }, ticket S 1. C, S 3. ticket S

9 Use nonces to prevent replay attacks Needham-Shroeder Key Exchange C C KDC S S ticket S = EK KDC,S {C, K c,s } 2. EK KDC,C {N 1, S, K c,s, ticket S } 1. N 1, C, S 3. EK C,S {N 2 }, ticket S 4. EK C,S {N 2 -1, N 3 } 5. EK C,S {N 3 -1}

10 Why N 1 ? Why N 2 ? Why N 3 ? Why encrypt ticket S Whys …

11 What happens if attacker gets session key? – Can reuse old session key to answer challenge- response, generate new requests, etc – Need timestamps to ensure freshness = tickets expire after some time Problem

12 Introduce Ticket Granting Server (TGS) – Daily ticket plus session keys Authentication server (AS) authenticates users TGS+AS = KDC – This is modified Needham-Schroeder – Basis for Kerberos Solution

13 Third-party authentication service – Distributes session keys for authentication, confidentiality, and integrity Kerberos TGS 4. TGSRep 3. TGSReq AS 1. ASReq 2. ASRep CS 5. SReq

14 ASReq = userID, TGS, lifetime 1 T TGS = EK AS,TGS (TGS, C, K TGS,C, timestamp 1, lifetime 2 ) ASRep = EK user (K TGS,C, TGS, timestamp 2, lifetime 2 ), T TGS TGSReq = T TGS, EK TGS,C (C, timestamp 3 ), S, lifetime 3 T S = EK S,TGS (S, C, K S,C, timestamp 4, lifetime 4 ) TGSRep = T S, EK C,TGS (K S,C, S, timestamp 5, lifetime 4 ) SReq = EK C,S {C, timestamp 6 }, T S Kerberos K user = f(pass user )

15 Public Key Exchange Problem How do we verify an identity: – Alice sends to Bob her public key Pub(A) – Bob sends to Alice his public key Pub(B) – How do we ensure that those keys really belong to Alice and Bob? Need a trusted third party

16 Public key is public but … – How does either side know who and what the key is for? Does this solve key distribution problem? – No – while confidentiality is not required, integrity is Still need trusted third party – Digital certificates – certificate authority (CA) signs identity+public key tuple with its private key – Problem is finding a CA that both client and server trust Public Key Distribution

17 Man-in-the-Middle Attack On Key Exchange Alice sends to Bob her public key Pub(A) Mallory captures this and sends to Bob Pub(M) Bob sends to Alice his public key Pub(B) Mallory captures this and sends to Alice Pub(M) Now Alice and Bob correspond through Mallory who can read/change all their messages

18 Key Exchange With Interlock Protocol First four steps are the same – Alice to Bob her public key Pub(A) – Mallory captures this and sends to Bob Pub(M) – Bob sends to Alice his public key Pub(B) – Mallory captures this and sends to Alice Pub(M) Alice encrypts a message in Pub(M) but sends half to Bob – Mallory cannot recover this message and duplicate it This works if Mallory cannot mimic Alice’s and Bob’s messages

19 Digital Certificates Everyone has Trent’s public key Trent signs both Alice’s and Bob’s public keys – he generates public-key certificate When they receive keys, verify the signature Mallory cannot impersonate Alice or Bob because her key is signed as Mallory’s Certificate usually contains more than the public key – Name, network address, organization Trent is known as Certificate Authority (CA)

20 Authentication steps – Alice provides nonce, or a timestamp is used instead. – Bob selects session key and sends it to Alice with nonce, encrypted with Bob’s private key and Alice’s public key, sends Bob’s certificate too – Alice validates certificate – it is really Bob’s key inside – Alice checks signature on nonce – Bob really generated the message Certificate-Based Authentication

21 Pretty Good Privacy – “Web of Trust” – Public key, identity association is signed by many entities – Receiver hopefully can locate several signatures that he can trust – Like an endorsement scheme PGP

22 Assumes strict hierarchy of certificate authorities – Nodes in the hierarchy can delegate trust to lower levels X.509

23 User keys installed on server out of band – User logs in with a password – Copies her public key onto server Weak assurance of server keys – User machine remembers server keys on first contact – Checks if this is still the same host on subsequent contact – But no check on first contact SSH

24 Revocation lists (CRL’s) – Long lists – Hard to propagate Lifetime / Expiration – Short life allows assurance of validity at time of issue Real time validation – Online Certificate Status Protocol (OCSP) – Receiver of a certificate asks the CA who signed it if corresponding private key was compromised – Can cache replies Recovery From Stolen Private Keys

25 Group key vs. individual key – Proves that one belongs to the group vs. proving an individual identity – E.g., used for multicast messages Group Keys

26 Revoking access – Change keys, redistribute Joining and leaving groups – New members cannot read old messages on join – backward secrecy – use old key to generate new one – How to revoke access – forward secrecy – much harder Robustness – Coping with network partitioning Efficiency – Cost of use, verification, exchange Group Key Management

27 Centralized – Single entity issues keys – Optimization to reduce traffic for large groups – May utilize application specific knowledge Decentralized – Employs sub managers Distributed – Members do key generation – May involve group contributions Group Key Management

28 Authentication

29 Ideally – Who you are Practically – Something you know (e.g., password) – Something you have (e.g., badge) – Something about you (e.g., fingerprint) Basis for Authentication

30 Password or Algorithm – e.g. encryption key derived from password Issues – Someone else may learn it Find it, sniff it, trick you into providing it – Other party must know how to check – You must remember it Something You Know

31 Password Authentication Alice inputs her password, computer verifies this against list of passwords If computer is broken into, hackers can learn everybody’s passwords – Use one-way functions, store the result for every valid password – Perform one-way function on input, compare result against the list

32 Password Authentication Hackers can compile a list of frequently used passwords, apply one-way function to each and store them in a table – dictionary attack Host adds random salt to password, applies one-way function to that and stores result and salt value – Randomly generated, unique and long enough

33 Password Authentication Someone sniffing on the network can learn the password Lamport hash or S-KEY – time-varying password – To set-up the system, Alice enters random number R – Host calculates x 0= h(R), x 1= h(h(R)), x 2= h(h(h(R))),..., x 100 – Alice keeps this list, host sets her password to x 101 – Alice logs on with x 100, host verifies h(x 100 )=x 101, resets password to x 100 – Next time Alice logs on with x 99

34 Password Authentication Someone sniffing on the network can learn the password – Host keeps a file of every user’s public key – Users keep their private keys – When Alice attempts to log on, host sends her a random number R – Alice encrypts R with her private key and sends to host – Host can now verify her identity by decrypting the message and retrieving R

35 Key Distribution – Confidentiality not needed for public key – Can be obtained ahead of time Performance – Slower than conventional cryptography – Implementations used for key distribution, then use conventional crypto for data encryption Trusted third party still needed – To certify public key – To manage revocation Public Key Authentication

Download ppt "Attacks on cryptography – Cyphertext, known pltext, chosen pltext, MITM, brute-force Types of ciphers – Mix of substitution and transposition – Monoalphabetic,"

Similar presentations

CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.
Chapter 10 Real world security protocols

Chapter 10 Real world security protocols
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
SCSC 455 Computer Security

SCSC 455 Computer Security
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
COS 461 Fall 1997 Todays Lecture u intro to security in networking –confidentiality –integrity –authentication –authorization u orientation for assignment.

COS 461 Fall 1997 Todays Lecture u intro to security in networking –confidentiality –integrity –authentication –authorization u orientation for assignment.
CNS2010handout 12 :: crypto protocols1 ELEC5616 computer and network security matt barrie

CNS2010handout 12 :: crypto protocols1 ELEC5616 computer and network security matt barrie
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Authentication & Kerberos

Authentication & Kerberos
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

Similar presentations

Ads by Google