Security in Open Environments

Slides:



Advertisements
Similar presentations
Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
Advertisements

1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.
Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Public-key encryption. Symmetric-key encryption Invertible function Security depends on the shared secret – a particular key. Fast, highly secure Fine.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.
Cryptographic Technologies
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Public Key Algorithms 4/17/2017 M. Chatterjee.
Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.
Security Management.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Public Key Model 8. Cryptography part 2.
CS5204 – Fall Cryptographic Security Presenter: Hamid Al-Hamadi October 13, 2009.
Page 1 Secure Communication Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.
1 Introduction to Security and Cryptology Enterprise Systems DT211 Denis Manley.
Part Two Network Security Applications Chapter 4 Key Distribution and User Authentication.
Cryptography, Authentication and Digital Signatures
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
1 Chapter 9: Key Management All algorithms we have introduced are based on one assumption: keys have been distributed. But how to do that? Key generation,
Chapter 3: Basic Protocols Dulal C. Kar. Key Exchange with Symmetric Cryptography Session key –A separate key for one particular communication session.
1 Cryptography NOTES. 2 Secret Key Cryptography Single key used to encrypt and decrypt. Key must be known by both parties. Assuming we live in a hostile.
Presented by: Suparita Parakarn Kinzang Wangdi Research Report Presentation Computer Network Security.
Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.
Upper OSI Layers Natawut Nupairoj, Ph.D. Department of Computer Engineering Chulalongkorn University.
Digital Signatures, Message Digest and Authentication Week-9.
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
1 Normal executable Infected executable Sequence of program instructions Entry Original program Entry Jump Replication and payload Viruses.
Overview of Cryptography & Its Applications
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
COEN 351 E-Commerce Security
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Cryptographic Security Identity-Based Encryption.
Network Security Continued. Digital Signature You want to sign a document. Three conditions. – 1. The receiver can verify the identity of the sender.
Ch 13 Trustworthiness Myungchul Kim
Protocol Analysis. CSCE Farkas 2 Cryptographic Protocols Two or more parties Communication over insecure network Cryptography used to achieve goal.
Private key
Identify Friend or Foe (IFF) Chapter 9 Simple Authentication protocols Namibia Angola 1. N 2. E(N,K) SAAF Impala Russian MIG 1 Military needs many specialized.
9.2 SECURE CHANNELS JEJI RAMCHAND VEDULLAPALLI. Content Introduction Authentication Message Integrity and Confidentiality Secure Group Communications.
INCS 741: Cryptography Overview and Basic Concepts.
Cryptography services Lecturer: Dr. Peter Soreanu Students: Raed Awad Ahmad Abdalhalim
SECURITY. Security Threats, Policies, and Mechanisms There are four types of security threats to consider 1. Interception 2 Interruption 3. Modification.
Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.
Security. Security Needs Computers and data are used by the authorized persons Computers and their accessories, data, and information are available to.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
Key management issues in PGP
Computer Communication & Networks
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
Lecture 4 - Cryptography
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
Presentation transcript:

Security in Open Environments

Overview Types of attacks and countermeasures Zero-knowledge protocols Public-key Infrastructure

Security Models Unconditional Security: an attacker can do no better than guessing. (one-time pad). Complexity-theoretic security: Attacks are shown to be NP-complete. Provable security: Attacks are as difficult as a problem that’s suspected to be hard (like factoring.) Computational security: resources needed for an attack are beyond the capabilities of the attacker. Ad hoc security/heuristic security: Practically, an attacker is unable to successfully break a system.

Man-in-the-Middle Cryptographic Protocol attacks are often analyzed in terms of a man-in-the-middle This is an agent who is able to listen to and potentially add, delete, or change messages being sent over an open channel.

Classes of Attacks We can divide attacks roughly into two classes: A passive attack is one in which the attacker is only able to monitor the communications channel. Threatens confidentiality An active attack is one in which the attacker attempts to add, delete, or modify messages. Threatens both confidentiality and data integrity.

Attacks on encryption schemes Passive attacks can be further subdivided Ciphertext-only attacks attempt to deduce the plaintext from only the ciphertext. Low chance of succeeding against strong encryption. Known plaintext attacks: the attacker has access to a collection of plaintext messages and their corresponding ciphertext. If same key is used to encrypt multiple blocks, frequency analysis is possible.

Attacks on encryption schemes Chosen plaintext attack: the attacker gets to choose a message to be encrypted. Goal: learn something about other ciphertexts. This can be used to acquire a signed message. “Please authenticate me.” Adaptive chosen plaintext attack: attacker can iteratively choose plaintexts to be encrypted. Chosen ciphertext attack: attacker chooses ciphertext and sees the corresponding plaintext. Adaptive chosen ciphertext attack: attacker iteratively chooses ciphertexts and sees the corresponding plaintexts.

Active Attacks Known-key attack: The attacker obtains previously-used keys and uses this to deduce information about new keys. Tracks generation of pseudorandom numbers. Replay: an attacker records a communication session and replays part of it at a later time. Login, key exchange

Active Attacks Impersonation: Attacker assumes the identity of one or more members of the network. Reflection attack: A & B want to synchronize with secret keys – A sends a challenge to B A -> m1 -> B B -> E(m1, m2) -> A A -> m2 -> B Intruder intercepts, pretends to be B initiating the same protocol Catches A’s response, pretends this is B’s response to the original challenge.

Active Attacks Dictionary: Attacker uses a large list of words to deduce a password. UNIX password attacks Forward search: brute-force search of keyspace.

Active Attacks Consider this authentication protocol: A sends random number m1 to B. B returns random numbers m1 and m2, signed, plus an identifier. A returns signed random numbers m2 and m3, plus an identifier. A -> m1 -> B A <- m2, SB(m2, m1, A) <- B A -> m3, SA(m3, m2, B) -> B Intent: random numbers plus signatures will verify identity.

Active Attacks An enemy E can initiate two separate protocols with A and B: E -> m1 -> B E <- m2, S_B(m2, m1, A) <- B A <- m2 <- E A -> m3, S_A(m3, m2, B) -> E E -> m3, S_A(m3, m2, B) -> B Insecurity due to symmetry of messages Could vary structure or require m1 to be included in final message

Attacking Key Exchange Key exchange is one of the most common places for a man-in-the-middle attack. A sends B its public key. Man-in-the-middle replaces A’s public key with a false one. Man-in-the-middle is now able to intercept and decrypt secret messages from B to A.

Defeating Man-in-the-Middle Interlock protocol: A and B want to send messages to each other. A sends first half to B. B sends first half to A. A sends second half to B. B sends second half to A. Since the man-in-the-middle cannot decrypt half of a message, it must pass something on. Secure if the attacker cannot intelligibly mimic A or B.

Zero-knowledge Protocols One application of public-key cryptography is zero-knowledge protocols. Often, one party might want to prove or verify something to another without revealing any information Nuclear treaties Bank balances Sensitive information What are some real-world ways of solving this problem?

Zero-knowledge Protocols Real-world solutions Trusted third party Random cups/phone numbers Airline reservation Passwords Deck of cards

Zero-knowledge protocols Alice wants to prove to Bob that she is Alice. If she sends identification, Bob (or an eavesdropper) can use it. Example: Authority chooses a number N=77, known by all. Alice’s public ID: (58, 67) Alice’s private ID: (9,10) These are multiplicative inverses mod 77

Zero-knowledge protocols Alice chooses some random numbers and computes their square mod N. {19, 24, 51} -> 192(mod 77) = 53, 242(mod 77) = 37, 512(mod 77) = 60 Alice sends {53,37,60} to Bob. Bob sends back a random 2x3 matrix of 1s and 0s. 0 1 1 0 1 1

Zero-knowledge protocols Alice uses this grid, plus her original random numbers and her secret numbers, to compute: 19 * 90 * 101 (mod 77) = 36 24 * 91 * 100 (mod 77) = 62 51 * 91 * 101 (mod 77) = 47 She sends {36,62,47} to Bob.

Zero-knowledge protocols Bob verifies Alice’s identity by computing: {58,67} are Alice’s public numbers 362 *580 *671 (mod 77)= 53 622 *581 * 670 (mod 77) = 37 472 * 581 * 671 (mod 77) = 60 Alice’s original numbers reappear! (Actually, an attacker would have a 1 in 64 chance of guessing correctly …)

Zero-knowledge protocols In a real system, N would be very large 160 digits. Many more numbers would be generated. This works because Alice’s secret numbers are multiplicative inverses of her public numbers mod N. Also, Bob learns nothing that he didn’t know before.

Public-key Infrastructure For real-world applications, a complex web of software systems is required to ensure security. This is referred to as a Public Key Infrastructure (PKI). Focus shifts from provable protocol properties to system design.

Some PKI Needs We would like a PKI to ensure: Data Integrity Price Integrity Scalable Identification and Authentication Confidentiality Non-repuduation Interoperability

Trust Hierarchies One of the primary functions of a PKI is the establishment of trust between users with no prior history. A certificate authority can provide this, serving as a trusted third party.

Certificate Authority A certificate authority has a number of functions within a PKI Authentication Key generation Key revocation Many commercial entities serve as CAs

Certificate Authorities A Certificate Authority will wrap a user’s public key in a certificate. X.509 is most common standard. Contains the user’s identity and public key. Signed with the CA’s private key. Risk is shifted: Previously: could unknown user A be compromised? Now: could the CA be compromised?

Trust Models Hierarchical One root CA Scalable and fast Considered able to “vouch for” itself. Scalable and fast Tradeoff: More levels of hierarchy requires more work to design and maintain, but provides increased reliability/redundancy.

Example Encrypting: Alice generates a hash of her plaintext data. Alice concatenates hash and plaintext. Alice signs this with her private key. Alice obtains Bob’s public key from a CA and uses this to encrypt the signed message.

Example Decrypting: Bob uses his private key to decrypt the message. Bob then gets Alice’s public key from the CA. Bob decrypts the message with Alice’s public key to get plaintext plus hash. Bob computes the hash of the plaintext, verifying the integrity of the plaintext.

Trust Models Distributed (Web of Trust) No root CA Users are able to authenticate each other Same approach as P2P software Highly redundant, but not very efficient. Awkward fit for e-commerce.

Trust Models Direct Used with symmetric-key encryption No CA is involved Possession of secret key is sufficient for trust. Also not appropriate for e-commerce.

Trust Models Cross Certification CA’s in different hierarchies sign each other’s public keys. User A is trusted by Verisign, User B by Surety. Surety signs Verisign’s public key with its own, allowing B to trust A. Allows for scalable, dynamic trust networks.

Summary Encryption provides a technique for hiding and sharing secrets. To be effective, users must consider the system in which encryption is used. Subtle flaws in a protocol can make it insecure. A public key infrastructure is needed to provide secure communications