Topic 14: Secure Communication1 Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication.

Slides:



Advertisements
Similar presentations
AUTHENTICATION AND KEY DISTRIBUTION
Advertisements

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
CP3397 ECommerce.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
Cryptography and Network Security
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
CSE 486/586, Spring 2014 CSE 486/586 Distributed Systems Security Steve Ko Computer Sciences and Engineering University at Buffalo.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Web Security CS-431. HTTP Authentication Protect web content from those who don’t have a “need to know” Require users to authenticate using a userid/password.
Introduction to Cryptography
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
1 Authentication Applications Digital Signatures Security Concerns X.509 Authentication Service Kerberos Based on slides by Dr. Lawrie Brown of the Australian.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
EECC694 - Shaaban #1 lec #16 Spring Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.
TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.
Topic 11: Key Distribution and Agreement 1 Information Security CS 526 Topic 11: Key Distribution & Agreement, Secure Communication.
1 Authentication Protocols Celia Li Computer Science and Engineering York University.
Computer Science Public Key Management Lecture 5.
Announcement Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed. 1.
JSSE API University of Palestine Eng. Wisam Zaqoot April 2010.
CSCI 6962: Server-side Design and Programming
Network Security. An Introduction to Cryptography The encryption model (for a symmetric-key cipher).
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Secure Socket Layer (SSL)
SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.
1 Lecture 14: Real-Time Communication Security real-time communication – two parties interact in real time (as opposed to delayed communication like )
每时每刻 可信安全 1The DES algorithm is an example of what type of cryptography? A Secret Key B Two-key C Asymmetric Key D Public Key A.
Introduction to Secure Sockets Layer (SSL) Protocol Based on:
Unit 1: Protection and Security for Grid Computing Part 2
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
Cryptography and Network Security (CS435) Part Fourteen (Web Security)
Web Security : Secure Socket Layer Secure Electronic Transaction.
Cryptography and Network Security (CS435) Part Eight (Key Management)
15.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Key Management.
Authentication 3: On The Internet. 2 Readings URL attacks
Fall 2010/Lecture 321 CS 426 (Fall 2010) Key Distribution & Agreement.
Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.
X.509 Topics PGP S/MIME Kerberos. Directory Authentication Framework X.509 is part of the ISO X.500 directory standard. used by S/MIME, SSL, IPSec, and.
Topic 14: Secure Communication1 Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication.
Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
1 Chapter 10: Key Management in Public key cryptosystems Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Modified by Prof. M. Singhal,
Computer and Network Security - Message Digests, Kerberos, PKI –
Protocol Analysis. CSCE Farkas 2 Cryptographic Protocols Two or more parties Communication over insecure network Cryptography used to achieve goal.
Key Management Network Systems Security Mort Anvari.
Lecture 11 Overview. Digital Signature Properties CS 450/650 Lecture 11: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
CPS Computer Security Tutorial on Creating Certificates SSH Kerberos CPS 290Page 1.
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
Secure Socket Layer SSL and TLS. SSL Protocol Peer negotiation for algorithm support Public key encryptionPublic key encryption -based key exchange and.
Mar 28, 2003Mårten Trolin1 This lecture Certificates and key management Non-interactive protocols –PGP SSL/TLS –Introduction –Phases –Commands.
@Yuan Xue CS 285 Network Security Key Distribution and Management Yuan Xue Fall 2012.
Pertemuan #8 Key Management Kuliah Pengaman Jaringan.
@Yuan Xue CS 285 Network Security Secure Socket Layer Yuan Xue Fall 2013.
Cryptography CSS 329 Lecture 13:SSL.
Dr. Nermi hamza.  A user may gain access to a particular workstation and pretend to be another user operating from that workstation.  A user may eavesdrop.
Network Security and It’s Issues
Secure Sockets Layer (SSL)
The Secure Sockets Layer (SSL) Protocol
Presentation transcript:

Topic 14: Secure Communication1 Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication

Topic 14: Secure Communication2 Readings for This Lecture On Wikipedia Needham-Schroeder protocol (only the symmetric key part)Needham-Schroeder protocol Public Key Certificates HTTP Secure

Outline and Objectives Key distribution among multiple parties Kerberos Distribution of public keys, with public key certificates Diffie-Hellman Protocol TLS/SSL/HTTPS Topic 14: Secure Communication3

Symmetric Key Agreement among Multiple Parties For a group of N parties, every pair needs to share a different symmetric key –What is the number of keys? –What secure channel to use to establish the keys? How to establish such keys –Symmetric Encryption - Use a central authority, a.k.a. (TTP). –Asymmetric Encryption – PKI. Topic 14: Secure Communication4

5 Needham-Schroeder Shared-Key Protocol Parties: A, B, and trusted server T Setup: A and T share K AT, B and T share K BT Goal: –Security: Mutual entity authentication between A and B; key establishment, Secure against active attacker & replay –Efficiency: Minimize the involvement of T; T can be stateless Messages: A  T: A, B, N A (1) A  T: E[K AT ] (N A, B, k, E[K BT ](k,A))(2) A  B: E[K BT ] (k, A) (3) A  B: E[k] (N B ) (4) A  B: E[k] (N B -1)(5) What bad things can happen if there is no N A ? Another subtle flaw in Step 3.

Topic 14: Secure Communication6 Kerberos Implements the idea of Needham- Schroeder protocol Kerberos is a network authentication protocol Provides authentication and secure communication Relies entirely on symmetric cryptography Developed at MIT: Used in many systems, e.g., Windows 2000 and later as default authentication protocol

Topic 14: Secure Communication7 Kerberos Overview One issue of Needham-Schroeder – Needs [K AT ] to talk to any new service. –Think about a login session with K AT derived from a password; either the password needs to be stored, or user needs to enter it every time Kerberos solution: Separates TTP into an AS and a TGS. The client authenticates to AS using a long-term shared secret and receives a TGT [SSO]. Use this TGT to get additional tickets from TGS without resorting to using the shared secret. AS = Authentication Server SS = Service Server TGS = Ticket Granting Server TGT = Ticket Granting Ticket

Kerberos Protocol - 1 Topic 14: Secure Communication8 C (client) SS (server) AS (authentication server) TGS (ticket-granting server)

Kerberos Protocol – 2 (Simplified) Topic 14: Secure Communication9 1. C  AS: TGS || N C 2. AS  C: { K C,TGS || C} K AS,TGS || {K C,TGS || N C || TGS} K AS,C (Note that the first part of message 2 is the ticket granting ticket (TGT) for the TGS) 3. C  TGS: SS || N’ C || {K C,TGS || C} K AS,TGS || {C||T 1 } K C,TGS 4. TGS  C: {K C,SS || C} K TGS,SS || {K C,SS || N’ C || SS} K C,TGS (Note that the first part in message 4 is the ticket for the server S). 5. C  SS: {K C,SS || C} K TGS,SS || {C || T 2 } K C,SS 6. SS  C: {T 3 } K C,SS

Topic 14: Secure Communication10 Kerberos Drawback Highly trusted TTP: KS –Malicious KS can silently eavesdrop in any communication Single point of failure: Security partially depends on tight clock synchronization. Useful primarily inside an organization –Does it scale to Internet? What is the main difficulty?

Topic 14: Secure Communication11 Public Keys and Trust Public Key: P A Secret key: S A Public Key: P B Secret key: S B How are public keys stored? How to obtain the public key? How does Bob know or ‘trusts’ that P A is Alice’s public key?

Topic 14: Secure Communication12 Distribution of Public Keys Public announcement : users distribute public keys to recipients or broadcast to community at large. Publicly available directory : can obtain greater security by registering keys with a public directory. Both approaches have problems, and are vulnerable to forgeries

Topic 14: Secure Communication13 Public-Key Certificates A certificate binds identity (or other information) to public key Contents digitally signed by a trusted Public-Key or Certificate Authority (CA) –Can be verified by anyone who knows the public-key authority’s public-key. For Alice to send an encrypted message to Bob, obtains a certificate of Bob’s public key

Public Key Certificates Topic 14: Secure Communication14

Topic 14: Secure Communication15 X.509 Certificates Part of X.500 directory service standards. –Started in 1988 Defines framework for authentication services: –Defines that public keys stored as certificates in a public directory. –Certificates are issued and signed by an entity called certification authority (CA). Used by numerous applications: SSL, IPSec, SET Example: see certificates accepted by your browser

Topic 14: Secure Communication16 How to Obtain a Certificate? Define your own CA (use openssl or Java Keytool) –Certificates unlikely to be accepted by others Obtain certificates from one of the vendors: VeriSign, Thawte, and many others

Topic 14: Secure Communication17 CAs and Trust Certificates are trusted if signature of CA verifies Chain of CA’s can be formed, head CA is called root CA In order to verify the signature, the public key of the root CA should be obtain. TRUST is centralized (to root CA’s) and hierarchical What bad things can happen if the root CA system is compromised? How does this compare with the TTP in Needham/Schroeder protocol?

Topic 14: Secure Communication18 Key Agreement: Diffie-Hellman Protocol Key agreement protocol, both A and B contribute to the key Setup: p prime and g generator of Z p *, p and g public. K = (g b mod p) a = g ab mod p g a mod p g b mod p K = (g a mod p) b = g ab mod p Pick random, secret (a) Compute and send g a mod p Pick random, secret (b) Compute and send g b mod p

Topic 14: Secure Communication19 Authenticated Diffie-Hellman g a mod n g b mod n g c mod n Alice computes g ac mod n and Bob computes g bc mod n !!! Is C Alice Alice’s certificate? C Alice, g a mod n, Sign Alice (g a mod n) C Bob, g b mod n, Sign Bob (g b mod n) Is C Bob Bob’s certificate?

Forward Secrecy Compromise of long-term keys does not compromise past session keys. –I.e., a session that is secure now remains secure in future –Violated in secret-key based protocols such as Needham- Schroeder and used in Kerberos Can be satisfied by ephemeral Diffie-Hellman –Do not store secrets such as a, b after computing g ab. –Long-term secret (digital signature signing keys) used only for authenticity Stealing a key cannot compromise authenticity of past sessions Topic 14: Secure Communication20

Secure communication 21Topic 14: Secure Communication

22 Transport Layer Security (TLS) Predecessors: Secure socket layer (SSL): Versions 1.0, 2.0, 3.0 TLS 1.0 (SSL 3.1); Jan 1999 TLS 1.1 (SSL 3.2); Apr 2006 TLS 1.2 (SSL 3.3); Aug 2008 Standard for Internet security –Originally designed by Netscape –Goal: “... provide privacy and reliability between two communicating applications” Two main parts –Handshake Protocol Establish shared secret key using public-key cryptography Signed certificates for authentication –Record Layer Transmit data using negotiated key, encryption function

Usage of SSL/TLS Applied on top of transport layer (typically TCP) Used to secure HTTP (HTTPS), SMTP, etc. One or both ends can be authenticated using public key and certificates –Typically only the server is authenticated Client & server negotiate a cipher suite, which includes –A key exchange algorithm, e.g., RSA, Diffie-Hellman, SRP, etc. –An encryption algorithm, e.g., RC4, Triple DES, AES, etc. –A MAC algorithm, e.g., HMAC-MD5, HMC-SHA1, etc. Topic 14: Secure Communication23

What Goes Wrong in Real World? Heartbleed software bug in OpenSSL –Improper input validation (missing bounds check) –Buffer over-read: Exploitation is able to read data in memory, including private key, etc. SSL Certificate validation errors Non-random private keys in RSA n=pq (the same primes are occasionally generated) Pre-computation can be used to break Diffie-Hellman used in TLS –(Optional) See “Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice” in CCS 2015 Topic 14: Secure Communication24

Viewing HTTPS web sites Browser needs to communicate to the user the fact that HTTPS is used –E.g., a golden lock indicator on the bottom or on the address bar –Check some common websites –When users correctly process this information, can defeat phishing attacks –Security problems exist People don’t know about the security indicator People forgot to check the indicator Browser vulnerabilities enable incorrect indicator to be shown Use confusing URLs, e.g., – Stored certificate authority info may be changed Topic 14: Secure Communication25

Topic 14: Secure Communication26 Coming Attractions … Malware Defense & Intrusion Detection

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.