1 Uncoercible Communication, or How to Lie with Impunity Matthew Kerner CSEP 590 3/5/06.

Slides:

Advertisements

Similar presentations

MAC Raushan. DES simple fiestel network 3131 PlainText Blocks 2*4=8bits 31 f f =0011 xor 0011=0000 = 0 f(r,k)=(2*r+k^2)%8 f(1,5)=(2*1+5^2)%8=3 xor 3 3.

Advertisements

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:

15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.

Session 4 Asymmetric ciphers.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

Introduction to Modern Cryptography Homework assignments.

Cryptography (continued). Enabling Alice and Bob to Communicate Securely m m m Alice Eve Bob m.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.

Quantum Key Establishment Wade Trappe. Talk Overview Quantum Demo Quantum Key Establishment.

Overview of Cryptography and Its Applications Dr. Monther Aldwairi New York Institute of Technology- Amman Campus INCS741: Cryptography.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

1 CIS 5371 Cryptography 9. Data Integrity Techniques.

Single Photon Quantum Encryption Rob Grove April 25, 2005.

EECS 598 Fall ’01 Quantum Cryptography Presentation By George Mathew.

Lecture 2: Message Authentication Anish Arora CSE5473 Introduction to Network Security.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

1 Lecture 18: Security issues specific to security key management services –privacy –integrity/authentication –nonrepudiation/plausible deniability.

8. Data Integrity Techniques

Pretty Good Privacy by Philip Zimmerman presented by: Chris Ward.

Lecture 15 Lecture’s outline Public algorithms (usually) that are each other’s inverse.

Wireless security & privacy Authors: M. Borsc and H. Shinde Source: IEEE International Conference on Personal Wireless Communications 2005 (ICPWC 2005),

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

HW6 due tomorrow Teams T will get to pick their presentation day in the order Teams T will get to pick their presentation day in the order Teams mostly.

Chapter 4: Intermediate Protocols

One-Time Pad Or Vernam Cipher Sayed Mahdi Mohammad Hasanzadeh Spring 2004.

Symmetric versus Asymmetric Cryptography. Why is it worth presenting cryptography? Top concern in security Fundamental knowledge in computer security.

Public Key Encryption and the RSA Public Key Algorithm CSCI 5857: Encoding and Encryption.

1 Lect. 13 : Public Key Encryption RSA ElGamal. 2 Shamir Rivest Adleman RSA Public Key Systems  RSA is the first public key cryptosystem  Proposed in.

Security: An Overview of Cryptographic Techniques /440 With slides from: Debabrata Dash, Nick Feamster, Gregory Kesden, Vyas Sekar and others.

``Chaffing and Winnowing’’ & Crypto Policy Comments Ronald L. Rivest Cryptography and Information Security Group MIT Lab for Computer Science April 1998.

Message Authentication Code July Message Authentication Problem  Message Authentication is concerned with:  protecting the integrity of a message.

Cryptography Wei Wu. Internet Threat Model Client Network Not trusted!!

Chapter 21 Public-Key Cryptography and Message Authentication.

NSRI1 Security of Wireless LAN ’ Seongtaek Chee (NSRI)

Network Security Lecture 10 Presented by: Dr. Munam Ali Shah.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

Confidentiality Confidentiality is maintained so long as private keys are secure. Authenticity is possible via public-key encryption by encrypting messages.

Chapter 2 Advanced Cryptography (Part C)

Introduction to Quantum Key Distribution

Privacy versus Authentication Confidentiality (Privacy) –Interceptors cannot read messages Authentication: proving the sender’s identity –The Problem of.

Digital Signatures, Message Digest and Authentication Week-9.

CS555Topic 251 Cryptography CS 555 Topic 25: Quantum Crpytography.

Lecture 2: Introduction to Cryptography

Authentication Issues and Solutions CSCI 5857: Encoding and Encryption.

Game-based composition for key exchange Cristina Brzuska, Marc Fischlin (University of Darmstadt) Nigel Smart, Bogdan Warinschi, Steve Williams (University.

WEP – Wireless Encryption Protocol A. Gabriel W. Daleson CS 610 – Advanced Security Portland State University.

The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Authentication Protocols (I): Secure Handshake.

+ Security. + What is network security? confidentiality: only sender, intended receiver should “understand” message contents sender encrypts message receiver.

Unconditionally Secure Chaffing-and-Winnowing for Multiple Use Wataru Kitada 1, Goichiro Hanaoka 2, Kanta Matsuura 1, Hideki Imai 2 1. IIS, the University.

Network Security Continued. Digital Signature You want to sign a document. Three conditions. – 1. The receiver can verify the identity of the sender.

Homework #1 J. H. Wang Oct. 2, 2013.

Software Security Seminar - 1 Chapter 4. Intermediate Protocols 발표자 : 이장원 Applied Cryptography.

802.11b Security CSEP 590 TU Osama Mazahir. Introduction Packets are sent out into the air for anyone to receive Eavesdropping is a much larger concern.

Identify Friend or Foe (IFF) Chapter 9 Simple Authentication protocols Namibia Angola 1. N 2. E(N,K) SAAF Impala Russian MIG 1 Military needs many specialized.

Network Security Celia Li Computer Science and Engineering York University.

Cryptography services Lecturer: Dr. Peter Soreanu Students: Raed Awad Ahmad Abdalhalim

Bit Commitment, Fair Coin Flips, and One-Way Accumulators Matt Ashoff 11/9/2004 Cryptographic Protocols.

CMSC 414 Computer and Network Security Lecture 2 Jonathan Katz.

Encryption and Integrity

Introduction to Symmetric-key and Public-key Cryptography

Outline Using cryptography in networks IPSec SSL and TLS.

Presentation transcript:

1 Uncoercible Communication, or How to Lie with Impunity Matthew Kerner CSEP 590 3/5/06

2 Problem Statement Alice broadcasts encrypted messages over a public channel Eve can see ciphertext and coerces Alice before and/or after communication –Demands that Alice sends a particular message –Demands plaintext & receipt to compare with ciphertext Encryption is often a “committing” process How can Alice signal coercion to Bob yet still avoid reprisal by Eve?

3 Benaloh & Tuinstra: Parallel Uncoercible Communication Protocol Shared key K: (L-bit head) … (N bit tail) Alice Bob Shared private channel (e.g. synchronized SecurID units) L-bit message M: … Shared key K: … Ciphertext C: … || (N bit tail of K) Check N-bit tail against K Accept message Reject message What happens if Eve forces L-bit message beforehand? - Alice corrupts N-bit tail What happens if Eve specifies ALL bits beforehand? - Eve must guess N-bit tail correctly (P = 2 -N ) Later, Alice gives Eve “receipt” with some K -All Ks equally plausible! -Can correspond to any plaintext – free or forced

4 Rivest: Chaffing & Winnowing Encryption-free privacy mechanism via std authentication mechanism (keyed HMAC) m-bit Message M: Split into m 1-bit packets:(i, M i, HMAC(K AB, i || M i )) (1, 1, HMAC(K AB, 1 || 1)) (2, 0, HMAC(K AB, 2 || 0)) (3, 1, HMAC(K AB, 3 || 1)) Alice Bob Shared session authentication key K AB Send in the clear Check HMACs and throw away unauthenticated packets (1, 0, Random) (2, 1, Random) (3, 0, Random) Now Alice adds “chaff” Hard for Eve to calculate HMAC without K AB Eve cannot tell wheat from chaff! Multiple simultaneous chaff streams with K ABi Alice & Bob can claim any K ABi is the real one! 101… Bob will throw chaff away (bad MAC) Plausible deniability for precomputed plaintexts

5 Summary & Practical Considerations Methods to exploit degrees of freedom in key/private randomness to generate multiple plausible explanations for communication –Choose forged plaintext at time of encryption –Choose forged plaintext at time of coercion –Some resistant to coercion beforehand (uncoercible) and others resistant to coercion only afterwards (deniable) Must use the method all the time or an adversary may coerce you with a more restricted mechanism Multiple coercion targets must coordinate stories Cleanest option for post-facto coercion: just delete or forget key & randomness

6 Backup

7 Other Methods Clayton & Danezis: Plausibly Deniable Routing Steganography –Steganography is information hiding Example: low-order pixel bits in image contain string –Weak: security through obscurity –Stronger: “keyed” steganography Example: keyed hash selects pixels to encode with –Plausible deniability in steganography Rely on security by obscurity: claim the cover text is the message Parallel steganographic methods: claim that one of n methods is correct Keyed steganographic methods with multiple keys: claim that one of n keys is correct