Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 9 Cryptographic Protocol Cryptography-Principles and Practice Harbin Institute of Technology School of Computer Science and Technology Zhijun Li.

Published byJasmine Bradley Modified over 8 years ago

Similar presentations

Presentation on theme: "Chapter 9 Cryptographic Protocol Cryptography-Principles and Practice Harbin Institute of Technology School of Computer Science and Technology Zhijun Li."— Presentation transcript:

1 Chapter 9 Cryptographic Protocol Cryptography-Principles and Practice Harbin Institute of Technology School of Computer Science and Technology Zhijun Li http://cst.hit.edu.cn/~lizhijun lizhijun_os@hit.edu.cn

2 Zhijun LiS1034040/Autumn08/HIT2 Outline Structure of Cryptographic Protocol Cryptographic Protocols –Key Establishment Protocols –Authentication Protocols Zero Knowledge Protocol

3 Zhijun LiS1034040/Autumn08/HIT3 Protocol Review Protocol: –Rules that detail the interaction between parties in a communication Note: –A series of steps –At least two Parties (normally 2 or 3 parties) –In Communication Cryptographic protocol: –Using cryptography for security

4 Zhijun LiS1034040/Autumn08/HIT4 Requirements of Protocol Every parties know the steps to complete the protocol primarily Every parties must follow the protocol Each step must be defined explicitly and can not be misunderstood The protocol must be complete, and define the actions for every possible cases

5 Zhijun LiS1034040/Autumn08/HIT5 Arbitration Protocol Note: –The protocol can work only with arbitrator –Arbitrator is always trusted (condition) –Example: Alice  car Lawyer; Bob  money Lawyer; Lawyer  money Alice; Lawyer  car Bob; Alice Bob Trent Arbitrator

6 Zhijun LiS1034040/Autumn08/HIT6 Verdict Protocol Note: –The protocol work without judge –Verdict is introduced if disputation arisen –Example: Alice, Bob  self Lawyer; Bob  evidence Lawyer; Alice  evidence Lawyer; Judge decide Alice Bob Trent Judge Evidence

7 Zhijun LiS1034040/Autumn08/HIT7 Self-enforcing Protocol Note: –The protocol work only with Alice and Bob –Security is assured by protocol design –Example: Alice  A Bob; Bob  B Alice; Alice compute; Bob compute; Alice  AB Bob; Bob  BA Alice; Alice Bob

8 Zhijun LiS1034040/Autumn08/HIT8 Attack to the Protocol Passive attack –Can eavesdrop the information in communication –Can eavesdrop the information in computer Active attack –Can modify the information in communication –Can modify the information in computer –Can personate the parties –Some parties may not abide the protocol

9 Zhijun LiS1034040/Autumn08/HIT9 Outline Structure of Cryptographic Protocol Cryptographic Protocols –Key Establishment Protocols –Authentication Protocols Zero Knowledge Protocol

10 Zhijun LiS1034040/Autumn08/HIT10 Key Establishment Protocols Key distribution protocols –Distributed by a trusted authority (TA) –Example: Needham-Schroeder protocol Key agreement protocols –Key can be established without TA –Example: Diffie-Hellman key agreement protocol

11 Zhijun LiS1034040/Autumn08/HIT11 Needham-Schroeder Protocol Alice  Trent: A, B, R A –A is Alice’s name, B is the name of Bob, R A is a random number Trent  Alice: E A (R A, B, K, E B (K, A)) –K is the session key –E A and E B is the encryption using A’s key and B’s key Alice  Bob: E B (K, A) –After decrypt above message Bob  Alice : E K (R B ) –R B is a random number Alice  Bob: E B (R B -1) Bob verify the R B -1

12 Zhijun LiS1034040/Autumn08/HIT12 Needham-Schroeder Remark R A,R B, and R B -1 can prevent replay attack BUT Mallory can store old K –Mallory  Bob: E B (K, A) –Bob  “Alice”(Mallory) : E K (R B ) R B is a random number –Mallory  Bob: E B (R B -1) –Bob verify the R B -1 –Mallory can impersonate the Alice

13 Zhijun LiS1034040/Autumn08/HIT13 Otway-Rees Protocol Idea: add timestamp Alice  Bob: I, A, B, E A (R A, I, A, B) –I the index number Bob  Trent: I, A, B, E A (R A, I, A, B), E B (R A, I, A, B) Trent  Bob: I, E A (R A, K), E B (R B, K) –After decrypt above message Bob  Alice : I, E A (R A, K) –R B is a random number Alice verify the I and R B

14 Zhijun LiS1034040/Autumn08/HIT14 Diffie-Hellman key Agreement Exchanging secret key over public channel Key Exchange protocol –Select public parameters p,  and n p is prime and  is of order n in Z p * –Alice selects random b privately and Alice  Bob [  b mod p] –Bob selects random c privately and Bob  Alice [  c mod p] –Alice and Bob compute  bc mod p (shared secret key) Bob, Alice’s key is  bc

15 Zhijun LiS1034040/Autumn08/HIT15 Example of DH Exchange Global known P=2147483659 and  =2 Alice choose b=12345 and send Bob [B=  b mod p=428647416] Bob choose c=654323 and send Alice [C=  c mod p=450904856] Alice compute the secret key as C b mod p=1333327162 Bob compute the secret key as B c mod p=1333327162 So the secret key between Alice and Bob is 1333327162

16 Zhijun LiS1034040/Autumn08/HIT16 Security of DH Security of the Diffie-Hellman key exchange protocol based on the CDH problem Computational Diffie-Hellman (CDH) –Given group (G, *), an element g with order q, given g x and g y, find g xy DLP is at least as hard as CDH Solves CDH can be used to decrypt ElGamal

17 Zhijun LiS1034040/Autumn08/HIT17 CDH and ElGamal Any algorithm that solves CDH can be used to decrypt ElGamal ciphertexts Intuition: –Decrypt (c 1 =g k,c 2 = m  k ) is equivalent to compute  k –Knows c 1 =g k,  =g a, and needs to compute g ka Proof: –Assume that algorithm OracleCHD solves CDH –Let (c 1, c 2 ) be an ElGamal ciphertext –Let  = g a, c 2 = g k mod p, c 2 = m(g a ) k mod p –y = OracleCDH(g, , c 1 ) –m = c 2 y -1

18 Zhijun LiS1034040/Autumn08/HIT18 Man-in-the-middle Attack There is a Man in the middle attack Need to be careful who you are agreeing a key with Alice Bob Eve a gaga gmgm m n gngn gbgb b g am g bn

19 Zhijun LiS1034040/Autumn08/HIT19 Diffie-Hellman is NOT Enough How does Alice know who she is agreeing a key with, is it Bob or Eve? Using signature: –Alice signs her message to Bob –Bob signs his message to Alice –In that way both parties know who they are talking to

20 Zhijun LiS1034040/Autumn08/HIT20 For Public Key Establishment Above is private key establishment For public key establishment: –Intuition: the distribution of public is secure –But: there is man-in-the-middle attack Alice Bob Mallory K PA K PM K PB K PM KDC

21 Zhijun LiS1034040/Autumn08/HIT21 Interlock Protocol Alice  Bob: K PA Bob  Alice: K PB Alice  Bob: Half 1 (E K PB (M)) –After decrypt above message Bob  Alice : Half 1 (E K PA (M)) Alice  Bob: Half 2 (E K PB (M)) Bob combine the Half 1 and Half 2 and decrypt Bob  Alice : Half 2 (E K PA (M)) Alice combine the Half 1 and Half 2 and decrypt

22 Zhijun LiS1034040/Autumn08/HIT22 Outline Structure of Cryptographic Protocol Cryptographic Protocols –Key Establishment Protocols –Authentication Protocols Zero Knowledge Protocol

23 Zhijun LiS1034040/Autumn08/HIT23 Authentication Protocol Goal: two parties authenticate each other Example: –Alice want to login into a computer Hashing + salt SKEY –Alice and Bob want to authenticate each other SKID (MAC) Protocol DASS Protocol

24 Zhijun LiS1034040/Autumn08/HIT24 SKEY Computer compute f(R), f(f(R)), … 100 times In computer’s database: Alice+x 101 Alice store x 1, x 2, x 3, …, x 100 1 th login: –Alice input her name and x 100 –Computer compute f(x 100 ) –Computer replace the x 101 by x 100 in database –Alice delete x 100 from her list 2 th login: –Alice input the last x i in her list

25 Zhijun LiS1034040/Autumn08/HIT25 SKID Alice  Bob: R A –R A is Random number Bob  Alice: R B, H K (R A, R B, B) –H K is the MAC Alice compute H K (R A, R B, B) and check –At this step, Alice can authenticate Bob Alice  Bob: H K (R B, A) Bob compute H K (R B, A) and check –At this step, Bob can authenticate Alice –Also exist man-in-the-middle attack

26 Zhijun LiS1034040/Autumn08/HIT26 DASS DASS: Distributed Authentication Security Service Alice  Trent: B Trent  Alice: K PB, Sig K ST (B, K PB ) Alice  Bob: E K (T A ), E K PB (L, A, K PP ), Sig K SA (L, A, K PP ), E K PB (K), Sig K SP (E K PB (K)) –K is the session key; T A is the timestamp; L is the life of key, K PP /K SP are a pair of public/private key Bob  Trent: A Trent  Alice: K PA, Sig K ST (A, K PA ) Bob verifies them Bob  Alice: E K (T B ) Alice check T B

27 Zhijun LiS1034040/Autumn08/HIT27 Outline Structure of Cryptographic Protocol Cryptographic Protocols –Key Establishment Protocols –Authentication Protocols Zero Knowledge Protocol

28 Zhijun LiS1034040/Autumn08/HIT28 Zero Knowledge Protocol Motivation: –When Alice authenticates to a server, she gives her password, but the server can then impersonate her –Alice can prove her is “Alice”, but she gives the computer zero knowledge –Zero-knowledge protocol: Allows a prover to prove that he posses a secret without revealing any information when verifying –Normally use challenge-response protocol

29 Zhijun LiS1034040/Autumn08/HIT29 Zero Knowledge Proof of Identity Alice’s secret key is the function of her “Identity” –Through zero-knowledge proof, she can prove that she knows her secret key –Fiat-Shamir Identity Protocol

30 Zhijun LiS1034040/Autumn08/HIT30 Fiat-Shamir Identity Protocol System parameter: n=pq Public identity: v (v is a quadratic residue mod n) Private authenticator: s  sqrt(v -1 ) mod n Protocol (repeat t times): –Alice picks random r in Z n * –Alice  Bob: x=r 2 mod n –Bob checks x  0 –Bob  Alice: random c in {0,1} –Bob  Alice: y, if c=0, y=r; if c=1, y=rs mod n –Bob accept: if c=0, x=r 2 mod n; if c=1, x  y 2 v mod n Identity Know Identity

31 Zhijun LiS1034040/Autumn08/HIT31 Security Fiat-Shamir Protocol If Alice does not know s, she can cheat Bob with prob. ½ –t times: the probability is 1/2 t r can not be used twice –If used, Bob may be compute the s by s=r -1 y –Not zero-knowledge Bob can impersonate Alice with prob. ½ –t times: the probability is 1/2 t

32 Zhijun LiS1034040/Autumn08/HIT32 Parallel Fiat-Shamir Protocol System parameter: n=pq Public identity: v 1,…,v k (v i is a quadratic residue mod n) Private authenticator: s i  sqrt(v i -1 ) mod n Protocol (repeat t times): –Alice picks random r in Z n * –Alice  Bob: x=r 2 mod n –Bob checks x  0 –Bob  Alice: a random {0,1} bit string b 0,b 1,…,b k –Bob  Alice: y=r  (s 1 b 1  s 2 b 2  …  s k b k ) mod n –Bob accept: if x  y 2  (v 1 b 1  v 2 b 2  …  v k b k ) mod n

33 Zhijun LiS1034040/Autumn08/HIT33 Fiat-Shamir Protocol Example N=35=5  7 –Alice  Bob: x=r 2 =16 2 mod 35 =11 –Bob  Alice: {0,1} string {1, 1, 0, 1} –Bob  Alice: y=16  (3 1  4 1  9 0  8 1 ) mod 35 = 31 –Bob accept: if 11  31 2  (4 1  11 1  16 0  29 1 ) mod 35 vv -1 s=sqrt(v -1 ) 493 11164 119 29 8

34 Zhijun LiS1034040/Autumn08/HIT34 Summary Structure of Cryptographic Protocol –Arbitration Protocol –Verdict Protocol –Self-enforcing Protocol Cryptographic Protocols –Key Establishment Protocols –Authentication Protocols –Zero Knowledge Protocol

Download ppt "Chapter 9 Cryptographic Protocol Cryptography-Principles and Practice Harbin Institute of Technology School of Computer Science and Technology Zhijun Li."

Similar presentations

1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.

1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.
COS 461 Fall 1997 Todays Lecture u intro to security in networking –confidentiality –integrity –authentication –authorization u orientation for assignment.

COS 461 Fall 1997 Todays Lecture u intro to security in networking –confidentiality –integrity –authentication –authorization u orientation for assignment.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.

1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
7. Asymmetric encryption-

7. Asymmetric encryption-
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.

 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 29 Cryptography and Network.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 29 Cryptography and Network.
UCB Security Jean Walrand EECS. UCB Outline Threats Cryptography Basic Mechanisms Secret Key Public Key Hashing Security Systems Integrity Key Management.

UCB Security Jean Walrand EECS. UCB Outline Threats Cryptography Basic Mechanisms Secret Key Public Key Hashing Security Systems Integrity Key Management.
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.

8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
More on AuthenticationCS-4513 D-term 20081 More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.

More on AuthenticationCS-4513 D-term More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.
EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

Similar presentations

Ads by Google