Off-the-Record Communication, or, Why Not To Use PGP

Slides:



Advertisements
Similar presentations
Oct 28, 2004WPES Off-the-Record Communication, or, Why Not to Use PGP Nikita Borisov Ian Goldberg Eric Brewer.
Advertisements

Chapter 3 Public Key Cryptography and Message authentication.
Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
ISA 662 IKE Key management for IPSEC Prof. Ravi Sandhu.
1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
Cryptography encryption authentication digital signatures
1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.
1 Pretty Good Privacy (PGP) Security for Electronic .
Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.
Public Key Cryptosystem
Security and Privacy over the Internet Chan Hing Wing, Anthony Mphil Yr. 1, CSE, CUHK Oct 19, 1998.
Trusted Data Sharing over Untrusted Cloud Storage Provider Gansen Zhao, Chunming Rong, Jin Li, Feng Zhang, and Yong Tang Cloud Computing Technology and.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Public Key Cryptography INFSCI 1075: Network Security – Spring 2013 Amir Masoumzadeh.
Public Key Infrastructure Alex Bardas. What is Cryptography ? Cryptography is a mathematical method of protecting information –Cryptography is part of,
Week 1.
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Privacy in signatures. Hiding in rings, hiding in groups.
L8. Reviews Rocky K. C. Chang, May Foci of this course 2 Rocky K. C. Chang  Understand the 3 fundamental cryptographic functions and how they are.
MAC Raushan. DES simple fiestel network 3131 PlainText Blocks 2*4=8bits 31 f f =0011 xor 0011=0000 = 0 f(r,k)=(2*r+k^2)%8 f(1,5)=(2*1+5^2)%8=3 xor 3 3.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.
Chap 3: Key exchange protocols In most systems, we distinguish the short term keys from the long term ones: –A short term key (session key) is used to.
Cryptography (continued). Enabling Alice and Bob to Communicate Securely m m m Alice Eve Bob m.
Overview of Cryptography and Its Applications Dr. Monther Aldwairi New York Institute of Technology- Amman Campus INCS741: Cryptography.
Information Security. Information Security Requirements Confidentiality: Protection from disclosure to unauthorised persons Access control: Unauthorised.
E- Business Digital Signature Varna Free University Prof. Teodora Bakardjieva.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Computer Science Public Key Management Lecture 5.
Controller of Certifying Authorities PKI Technology - Role of CCA Assistant Controller (Technology) Controller of Certifying Authorities Ministry of Communications.
Csci5233 Computer Security1 Bishop: Chapter 10 Key Management: Digital Signature.
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Page 1 Secure Communication Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.
Pretty Good Privacy by Philip Zimmerman presented by: Chris Ward.
COEN 351 E-Commerce Security Essentials of Cryptography.
CSCD 218 : DATA COMMUNICATIONS AND NETWORKING 1
4 th lecture.  Message to be encrypted: HELLO  Key: XMCKL H E L L O message 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message + 23 (X) 12 (M) 2 (C) 10 (K) 11.
Security protocols  Authentication protocols (this lecture)  Electronic voting protocols  Fair exchange protocols  Digital cash protocols.
Internet Security. 2 PGP is a security technology which allows us to send that is authenticated and/or encrypted. Authentication confirms the identity.
Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.
Facilities for Secure Communication The Internet is insecure The Internet is a shared collection of networks. Unfortunately, that makes it insecure An.
Lecture 16: Security CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9.
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Digital Signatures, Message Digest and Authentication Week-9.
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
1 Chapter 10: Key Management in Public key cryptosystems Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Modified by Prof. M. Singhal,
COEN 351 E-Commerce Security
Network Security Continued. Digital Signature You want to sign a document. Three conditions. – 1. The receiver can verify the identity of the sender.
Electronic Commerce School of Library and Information Science PGP and cryptography I. What is encryption? Cryptographic systems II. What is PGP? How does.
Lecture 11 Overview. Digital Signature Properties CS 450/650 Lecture 11: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
Chapt. 10 – Key Management Dr. Wayne Summers Department of Computer Science Columbus State University
1 Authenticated Key Exchange Rocky K. C. Chang 20 March 2007.
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
Cryptographic Security Aveek Chakraborty CS5204 – Operating Systems1.
Security By Meenal Mandalia. What is ? stands for Electronic Mail. much the same as a letter, only that it is exchanged in a different.
INCS 741: Cryptography Overview and Basic Concepts.
Department of Computer Science Chapter 5 Introduction to Cryptography Semester 1.
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
Key management issues in PGP
Basics of Cryptography
Computer Communication & Networks
OTR AKE Protocol.
Security through Encryption
OTR: Off-the-record Communication
CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9
CDK: Chapter 7 TvS: Chapter 9
Chapter 29 Cryptography and Network Security
Presentation transcript:

Off-the-Record Communication, or, Why Not To Use PGP Slides by Su Zhang Nov 8th, 2010

Differences between Off-the-Record Communication and PGP System Long-live encryption key Non-Repudiable authentication Off-the-Record communication Perfect forward secrecy Repudiability (verifiable only to receiver but not other people ) Off the Record Communication, or, Why Not To Use PGP 11/8/2010

What Security Properties do We Want? Encryption -- Hide the content of conversation Perfect Forward Secrecy -- Protect against future compromises Authentication -- Make sure the person you are talking to is the right one Repudiation – Make sure the communications are personal and unverifiable to third parties Off the Record Communication, or, Why Not To Use PGP 11/8/2010

Why Hard to Guarantee Online Security Properties? Compromising decrypt key will expose past and future encrypted messages with that key Any third party could verify the identity of the sender through verifying the signature on the (digital signature is used by protocols like PGP) Off the Record Communication, or, Why Not To Use PGP 11/8/2010

Perfect Forward Secrecy Using short-lived encryption/decryption keys Impossible to re-derive from their long-term keys No one (including sender and receiver) couldn’t re- construct the key Keys are generated through Diffie-Hellman key agreement protocol Off the Record Communication, or, Why Not To Use PGP 11/8/2010

Cryptographic Primitives Used by OTR Digital Signatures Message Authentication Codes (MAC) Malleable encryption (AES) Off the Record Communication, or, Why Not To Use PGP 11/8/2010

Digital Signatures Long-lived Signature keys (acceptable) Key compromising won’t affect past authentication (since authenticated messages are successfully received) Non-repudiation (undesirable) Signer couldn’t disclaim the authorship of a message she signed Signed messages could be verified by anyone without signer’s cooperation Save a lot of space O(n) keys (shared secret has O(n2) keys ) Off the Record Communication, or, Why Not To Use PGP 11/8/2010

Message Authentication Code MAC can check the integrity of the message Cannot provide Non repudiation (repudiable) Two parties could authenticate each other (by using their shared secret) but others couldn’t Bob cannot show others that Alice has sent him the message since himself could have made the message. Off the Record Communication, or, Why Not To Use PGP 11/8/2010

Malleable Encryption and Forgeability Everyone could have changed the message before it arrive at the receiver end (or before attacker get it) Modifying some cipher text could change the meaning of plain text even without knowing encryption key. (e.g. stream cipher) Attacker could choose another message which could have a same length of cipher text then replace it with original one This is to show that anyone could have modified the message so nobody (except Bob) could find any clue about Alice from the message she sent. Off the Record Communication, or, Why Not To Use PGP 11/8/2010

The Off-the-Record Messaging Protocol Using the primitive encryptions mentioned above Achieve the aforementioned security properties Mainly for low-latency communication protocols Off the Record Communication, or, Why Not To Use PGP 11/8/2010

Off-the-Record -- Encryption Encryption algorithm—AES (Malleable) Encryption key – Generated through Diffie- Hellman agreement Short-term key (forward secrecy): re-generated keys frequently Diffie-Hellman’s computational cost is really cheap (only two modular exponatiation), so communication parties could re-generate keys as frequently as possible. Off the Record Communication, or, Why Not To Use PGP 11/8/2010

Off-the-Record – Message Exchange Exchange course A  B : gx1 B  A : gy1 A  B : gx2 ,E(M1, k11) B  A : gy2 ,E(M2, k21) A  B : gx3 ,E(M3, k22) Key construction gxiyj is called shared secret in DH protocol Encryption key kij = H(gxiyj ) Where kij = H(gxiyj ), message communicating is going with key exchange. Each message is encrypted using the shared secret derived from the last key received from the other party and the last key that has been previously sent to the other party. key ID should also be used in the message to ensure that both the sender and the receiver know which kij is being used, since the protocol does not require that Alice and Bob take turns sending messages to each other. Off the Record Communication, or, Why Not To Use PGP 11/8/2010

Off-the-Record --Forgetting Keys A couldn’t forget Xi-1 and its afterwards keys until it received a message encrypted with Xi from B A only generate a new key after she received a reply from B (So A holds at most two keys at a time.) Send empty message if one haven’t sent for a while Each shouldn’t leave without sending a message for too long time. Instead, it should send empty message to reduce the size of vulnerable window (a key hasn’t been changed for a long time) Off the Record Communication, or, Why Not To Use PGP 11/8/2010

Off-the-Record -- Authentication At the beginning, using digital signature to verify each other’s identity. A B : Sign(gx1, ka), KA B A : Sign(gy1, kb), KB Then message encrypted with H(gx1y1) could be accepted Use MAC keys as following authenticators Even if eve got encryption key, she still couldn’t know the identities of the sender or receiver Off the Record Communication, or, Why Not To Use PGP 11/8/2010

Off-the-Record – Authentication (cont) Following protocol message: gx(i+1), E(Mk, kij ), MAC({gx(i+1), E(Mk, kij )}, H(kij)) MAC key: H(kij) =H( H(gxiyj )) Both message and the encryption key are authenticated Off the Record Communication, or, Why Not To Use PGP 11/8/2010

Revealing MAC keys Let everyone could use the MAC keys as authenticator. (No one can prove message authenticated by these keys are from Alice) Past authenticated messages through these keys are validated (Because these messages are successfully received.) Off the Record Communication, or, Why Not To Use PGP 11/8/2010

Implementation of OTR- Design Off-the-Record protocol is built on top of an IM protocol Incremental deployment A user could use their IM client to communicate with people have the security plug-in or not Virtual session Last until the client terminated or a period of inactive A message is first encrypted and authenticated using our protocol, and then the result is encoded as a text message and sent as a regular instant message. To support these two modes, the plugin must keep a list of which buddies support secure communication and which don’t. This list is populated automatically: the first time Alice sends a message to another user, Bob, it is sent unencrypted Off the Record Communication, or, Why Not To Use PGP 11/8/2010

Implementation of OTR- Implementation IM Client: GAIM Could integrate several different IM applications API dealing with Off-the-Record Received an encrypted message Received a clear texted message Received an error information Received an ignorable message (doesn’t include user message) Off the Record Communication, or, Why Not To Use PGP 11/8/2010

Using OTR on high-latency application -Email Impractical on key agreement Diffie-Hellman protocol needs two parties to be online Solution: Ring signatures A set of people could sign a signature but others couldn’t tell which one signed. (Similar to MAC authentication but less privacy (since sender will be confined into a small range)) Mitigate the less privacy issue Publish signature key after all signed messages have been authenticated (make short term keys) Off the Record Communication, or, Why Not To Use PGP 11/8/2010

Conclusions Off-the-Record realized ideal security properties Repudiable online communication Perfect forward secret manner Maintaining confidentiality and authenticity assurances confidentiality Off the Record Communication, or, Why Not To Use PGP 11/8/2010

Questions & Discussion Thank you! Off the Record Communication, or, Why Not To Use PGP 11/8/2010