Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 3.3: Fair Exchange.

Slides:

Advertisements

Similar presentations

1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.

Advertisements

Atomic Transactions CS523 - Spring Brian Schmidt.

Multi-Party Contract Signing Sam Hasinoff April 9, 2001.

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 6. Security in Mobile Ad-Hoc Networks.

E W H A W U New Nominative Proxy Signature Scheme for Mobile Communication April Seo, Seung-Hyun Dept. of Computer Science and.

Computer Science Dr. Peng NingCSC 774 Advanced Network Security1 Topic 3.1: NetBill.

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 4.2 BiBa.

Secure Multiparty Computations on Bitcoin

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 5.3 Group Key Distribution Acknowledgment: Slides on.

CSC 774 Advanced Network Security

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 7.3 Secure and Resilient Location Discovery in Wireless.

Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.

1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Digital Signatures and Hash Functions. Digital Signatures.

Computer Science Dr. Peng NingCSC 774 Advanced Network Security1 Topic 3.2: Micro Payments.

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 5 Group Key Management.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Preparation for In-class Presentations.

6/1/20151 Digital Signature and Public Key Infrastructure Course:COSC Instructor:Professor Anvari Student ID: Name:Xin Wen Date:11/25/00.

Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.

Spring 2002CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Digital Cash Damodar Nagapuram. Overview ► Monetary Freedom ► Digital Cash and its importance ► Achieving Digital Cash ► Disadvantages with digital cash.

Copyright © B. C. Neuman, - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Fall Security Systems Lecture notes Dr.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Optimistic Synchronous Multi-Party Contract Signing N. Asokan, Baum-Waidner, M. Schunter, M. Waidner Presented By Uday Nayak Advisor: Chris Lynch.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Computer Science 1 CSC 774 Advanced Network Security Dr. Peng Ning

Computer Science CSC 774Dr. Peng Ning1 CSC 774 Advanced Network Security Topic 2. Review of Cryptographic Techniques.

CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.

Computer Science CSC 774 Adv. Net. SecurityDr. Peng Ning1 CSC 774 Advanced Network Security Topic 4. Broadcast Authentication.

Pay As You Go – Associating Costs with Jini Leases By: Peer Hasselmeyer and Markus Schumacher Presented By: Nathan Balon.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Security using Encryption Security Features Message Origin Authentication - verifying that the sender is who he or she says they are Content Integrity.

Csci5233 Computer Security1 Bishop: Chapter 10 Key Management: Digital Signature.

Lecture 8 Digital Signatures. This lecture considers techniques designed to provide the digital counterpart to a handwritten signature. A digital signature.

CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)

Secure Electronic Transaction (SET)

Andrew Lindell Aladdin Knowledge Systems and Bar-Ilan University 04/09/08 CRYP-202 Legally-Enforceable Fairness in Secure Two-Party Computation.

An Efficient and Secure Event Signature (EASES) Protocol for Peer-to-Peer Massively Multiplayer Online Games Mo-Che Chan, Shun-Yun Hu and Jehn-Ruey Jiang.

E-Science Meeting March Trusted Coordination in Dynamic Virtual Organisations Santosh Shrivastava School of Computing Science Newcastle University,

Network Security Lecture 26 Presented by: Dr. Munam Ali Shah.

Analysis of a Fair Exchange Protocol Vitaly Shmatikov John Mitchell Stanford University.

Códigos y Criptografía Francisco Rodríguez Henríquez Security Attacks: Active and Passive Active Masquerade (impersonation) Replay Modification of message.

Information Security Conference (ISC 2015) On the Efficiency of Multi-Party Contract Signing Protocols Gerard Draper-Gil, Josep-Lluis Ferrer Gomila, M.

Key Management Celia Li Computer Science and Engineering York University.

Signcryption Parshuram Budhathoki Department of Mathematical Sciences Florida Atlantic University April 18, 2013

Chapter 4 Using Encryption in Cryptographic Protocols & Practices (Part B)

Chapter 4 Using Encryption in Cryptographic Protocols & Practices.

31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

Computer Science CSC 774 Adv. Net. Security1 Presenter: Tong Zhou 11/21/2015 Practical Broadcast Authentication in Sensor Networks.

1 Normal executable Infected executable Sequence of program instructions Entry Original program Entry Jump Replication and payload Viruses.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Authenticated Key Exchange I. Definitions I. MAP I. matching conversations II. oracles II. (I)KA II. AKEP2 III. AKEP2 Security I. Session Keys II. Perfect.

Network Security Celia Li Computer Science and Engineering York University.

EE 122: Lecture 24 (Security) Ion Stoica December 4, 2001.

IT 221: Introduction to Information Security Principles Lecture 5: Message Authentications, Hash Functions and Hash/Mac Algorithms For Educational Purposes.

Fall 2006CS 395: Computer Security1 Key Management.

Copyright 2004 MayneStay Consulting Group Ltd. - All Rights Reserved Jan-041 Security using Encryption Security Features Message Origin Authentication.

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 5.3 Group Key Distribution Acknowledgment: Slides on.

Probabilistic Contract Signing CS 395T. Probabilistic Fair Exchange uTwo parties exchange items of value Signed commitments (contract signing) Signed.

Verifiable Threshold Secret Sharing and Full Fair Secure Two-party Computation YE Jian-wei March 7, 2009.

Trusted CoordinationTAPAS Workshop, 25-26/09/031 Building Blocks for Trusted Coordination Nick Cook University of Newcastle.

Security Outline Encryption Algorithms Authentication Protocols

Advanced Computer Networks

Hash Function Requirements

Probabilistic Contract Signing

Presentation transcript:

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 3.3: Fair Exchange

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security2 Outline Overview of Fair Exchange Optimistic Fair Exchange –A General Protocol –Optimized Protocol Contract signing Self-study –Optimized Protocols Certified mail Payment for receipt Fair purchase

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security3 Fair Exchange A fair exchange should guarantee that at the end of the exchange –Either each party has received what it expects to receive, –Or no party has received anything Examples –Certified mail –Contract signing –Payment

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security4 Traditional Fair Exchange ISO proposals –Use a TTP to ensure fairness Limitations –TTP is heavily involved –Bottleneck –Single point of failure Trusted Third Party (TTP) OriginatorResponder

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security5 Optimistic Fair Exchange Assumptions –Most participants are honest Allow participants to exchange without TTP Fall back to TTP when there are failures –Dishonest participants, communication failures, etc. Trusted Third Party (TTP) OriginatorResponder

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security6 Three Phases of Optimistic Fair Exchange Phase 1 –The parties try to exchange items without a TTP Phase 2 –The parties try to exchange items through a TTP Phase 3 –Each computer outputs all evidence and any participant may visit a court

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security7 Degree of Fairness Strong (true) fairness –If the TTP is able to Undo a transfer of an item (revocability) –Example: revoke a signed contract Produce a replacement for it (Generatability) –Example: generate a replacement of a receipt Weak fairness –If the TTP can only produce affidavits –Requires an external dispute resolution system Example: court

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security8 Generic Exchange Protocol Two stages –Stage 1 (Two flows) The originator O and the recipient R promise each other an exchange of items –Stage 2 (Three flows) Exchange the items along with non-repudiation tokens

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security9 Notations item X : the item X wants to send descr X : a description of item X expect X (descr X, descr Y ): –Evaluate to true if X is satisfied with exchanging item X with item Y. fits(descr, item) –Evaluate to true if the description fits the item h(): hash function (key, comm) = commit(item) –Generate a commitment comm to item, and also generate a key, without which it’s impossible to get the item. –Verifiable encryption. open(item, key, comm) –Use key to open the item whose commitment is comm.

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security10 Generic Exchange Protocol (Cont’) OTR In: item O, descr O, expect O In: item R, descr R, expect R Choose y O (recovery authenticator) r O (NRR authenticator) randomly; determine T (key O, com O ) := commit (item O ) If not expect R (descr R, descr O ) then Abort; Choose y R (recovery authenticator) r R (NRR authenticator) randomly; (key R, com R ) := commit (item R ) m 1 :=sign O (T, R, h(y O ), h(r O ), t, com O, descr O ) m 2 :=sign R (O, h(m 1 ), h(y R ), h(r R ), com R, descr R )

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security11 Generic Exchange Protocol (Cont’d) OTR expect O (descr O, descr R ) open (item O, key O, com O )? fits(descr O, item O )? m 3 :=item O, key O m 4 :=item R, r R, key R If fits (itemR, descrR) and open (item R, key R, com R ) and [no timeout] then m 5 :=r O If [timeout] then [Recovery for R] else [Recovery for O]

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security12 OR Output: item R NRO Token: (m 2, key R, com R ) NRR Token: (m 1, m 2, r R ) Output: item O NRO Token: (m 1, key O, com O ) NRR Token: (m 1, m 2, r O ) Generic Exchange Protocol (Cont’d) Question: –Why can these tokens guarantee NRO or NRR?

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security13 Recovery for O O T R If [the received messages fit together] then retransmit m 3, observable by T If [retransmit invalid] then abort elseif not [timeout] then open (item O, key O, com O )? fits(descr O, item O )? retransmit m 4, observable by T open (item R, key R, com R )? fits (itemR, descrR)? m5m5 else

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security14 Question Can this recovery protocol guarantee –Strong fairness for O? ______ –Weak fairness for O? ______

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security15 Recovery for R O T R If [the received messages fit together] then If [retransmit invalid] then abort if not [timeout] then retransmit m 4, observable by T open (item R, key R, com R )? fits (item R, descr R )? m5m5 else

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security16 Question Can this recovery protocol guarantee –Strong fairness for R? ______ –Weak fairness for R? ______

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security17 Types of items Confidential data –Data that will be released during the protocol –Example: Software Public data –Data that will be released even if the protocol execution fails –Purpose: fair exchange of non-repudiation tokens. –Example: contract Payments –A payment sub-protocol that is executed to transfer value from payer to payee –Example: PayWords

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security18 Public DataConf. DataPayment Generatable Revocable Types of Items (Cont’d) Generatable –The TTP can produce a replacement of the item Revocable –The TTP can undo the transfer of the item

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security19 Exchange Types Public DataConf. DataPayment Public DataContract Signing Certified Mail Payment with Receipt Conf. DataExchange of Goods Fair Purchase PaymentCurrency Exchange

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security20 Optimized Protocol -- Contract Signing OTR In: contract O In: contract R Choose o O randomly; determine T Choose yR randomly. contract R =contract O ? m 1 :=sign O (T, R, h(o O ), t, contract O ) m 2 :=sign R (h(m 1 ), h(y R ) m 3 := o O

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security21 Contract Signing (Cont’d) OTR If [timeout] then If [the received messages fit together] then m2m2 If [response] then else m3m3

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security22 Contract Signing (Cont’d) OR Output: contractR, (m1, m2) Output: contractR, (m1, o O ) Question: –Why can these tokens guarantee NRO or NRR?