1 Intro To Encryption Exercise 10. 2 Analyze the following scenario: Sender:  Cipher1= Encrypt message with symmetric key algorithm  RSA_Encrypt (SHA1(message)

Slides:



Advertisements
Similar presentations
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
Advertisements

1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Digital Signatures and Hash Functions. Digital Signatures.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 29 Cryptography and Network.
Network Security – Part 2 Public Key Cryptography Spring 2007 V.T. Raja, Ph.D., Oregon State University.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.
CSE331: Introduction to Networks and Security Lecture 21 Fall 2002.
ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.
TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.
ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 6 Epayment Security II.
Network Security – Part 2 V.T. Raja, Ph.D., Oregon State University.
Encryption Methods By: Michael A. Scott
Computer Science Public Key Management Lecture 5.
13.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 13 Digital Signature.
Security using Encryption Security Features Message Origin Authentication - verifying that the sender is who he or she says they are Content Integrity.
Chapter 13 Digital Signature
1 Lecture 18: Security issues specific to security key management services –privacy –integrity/authentication –nonrepudiation/plausible deniability.
8. Data Integrity Techniques
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Information Security and Management 13. Digital Signatures and Authentication Protocols Chih-Hung Wang Fall
Public Key Cryptography July Topics  Symmetric and Asymmetric Cryptography  Public Key Cryptography  Digital Signatures  Digital Certificates.
Page 1 Secure Communication Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.
Pretty Good Privacy by Philip Zimmerman presented by: Chris Ward.
Bob can sign a message using a digital signature generation algorithm
Rennes, 15/10/2014 Cristina Onete Message authenticity: Digital Signatures.
CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Secure r How do you do it? m Need to worry about sniffing, modifying, end- user masquerading, replaying. m If sender and receiver have shared secret.
Network Security – Part 2 (Continued) Lecture Notes for May 8, 2006 V.T. Raja, Ph.D., Oregon State University.
IT 221: Introduction to Information Security Principles Lecture 6:Digital Signatures and Authentication Protocols For Educational Purposes Only Revised:
10/1/2015 9:38:06 AM1AIIS. OUTLINE Introduction Goals In Cryptography Secrete Key Cryptography Public Key Cryptograpgy Digital Signatures 2 10/1/2015.
Cryptography, Authentication and Digital Signatures
Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there.
Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2013 Nitesh Saxena.
4 th lecture.  Message to be encrypted: HELLO  Key: XMCKL H E L L O message 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message + 23 (X) 12 (M) 2 (C) 10 (K) 11.
Introduction1-1 Data Communications and Computer Networks Chapter 6 CS 3830 Lecture 31 Omar Meqdadi Department of Computer Science and Software Engineering.
Chapter 31 Cryptography And Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Cryptography Wei Wu. Internet Threat Model Client Network Not trusted!!
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Digital Signatures, Message Digest and Authentication Week-9.
Cryptographic Hash Functions and Protocol Analysis
Cryptography: Digital Signatures Message Digests Authentication
Cryptography 1 Crypto Cryptography 2 Crypto  Cryptology  The art and science of making and breaking “secret codes”  Cryptography  making “secret.
Authentication Issues and Solutions CSCI 5857: Encoding and Encryption.
A A E E D D C C B B # Symmetric Keys = n*(n-1)/2 F F
Identity based signature schemes by using pairings Parshuram Budhathoki Department of Mathematical Science FAU 02/21/2013 Cyber Security Seminar, FAU.
Protocol Analysis. CSCE Farkas 2 Cryptographic Protocols Two or more parties Communication over insecure network Cryptography used to achieve goal.
1 Cryptography Troy Latchman Byungchil Kim. 2 Fundamentals We know that the medium we use to transmit data is insecure, e.g. can be sniffed. We know that.
EE 122: Lecture 24 (Security) Ion Stoica December 4, 2001.
Copyright 2004 MayneStay Consulting Group Ltd. - All Rights Reserved Jan-041 Security using Encryption Security Features Message Origin Authentication.
Cryptographic Security Aveek Chakraborty CS5204 – Operating Systems1.
Secure Instant Messenger in Android Name: Shamik Roy Chowdhury.
Cryptography and Network Security Chapter 13
Basics of Cryptography
Computer Communication & Networks
Secure How do you do it? Need to worry about sniffing, modifying, end-user masquerading, replaying. If sender and receiver have shared secret keys,
Chapter 13 Digital Signature
Chapter 29 Cryptography and Network Security
Chapter 8 roadmap 8.1 What is network security?
Cryptography Lecture 26.
Presentation transcript:

1 Intro To Encryption Exercise 10

2 Analyze the following scenario: Sender:  Cipher1= Encrypt message with symmetric key algorithm  RSA_Encrypt (SHA1(message) + symmetric key) with sender's RSA private key  Cipher2 = Encrypt cipher1 with symmetric key algorithm  RSA_Encrypt (symmetric key2) with receiver's RSA public key  Send super-encrypted message Receiver:  RSA_Decrypt (symmetric key2) with receiver's RSA private key  Decrypt(cipher2)  RSA_Decrypt (symmetric key1), parse out digest, i.e., SHA1(message)  Decrypt(cipher1)  compare digest with SHA1(Decrypt(cipher1))

3 Scenario Cont’ SymmetricKey1 = 3DES_IV1, 3DES_Key1 Cipher1 = 3DES_Encrypt(message) Digest = SHA1(message) RSA_Key1 =  RSA_Private_Encrypt(Digest || 3DES_Key1) SymmetricKey2 = 3DES_IV2, 3DES_Key2 Cipher2 = 3DES_Encrypt(Cipher1) RSA_Key2 = RSA_Public_Encrypt(3DES_Key2) Leading question: What does the author want to do here?

4 Do we really need Cipher1??? Encryption with sender’s private key??? Don’t you mean sign? RSA_Encrypt RSA_Sign(SHA1(message) + symmetric key)  Why sign symmetric key??? The attacker will know it. May fix by signing only SHA1(message) Why encrypt CIpher2??? Isn’t it already encrypted?  Or do you wish to cascade? This isn’t an efficient cascade. Why encrypt using AES? Don’t you mean CBC-AES for CPA-IND and VIL messages? Some point to think about

5 Some more points to think about The following May be written in a single notation as they are classical Hybrid Encryption Instead of:  Cipher2 = Encrypt cipher1 with symmetric key algorithm  RSA_Encrypt (symmetric key2) with receiver's RSA public key Write:  Encrypt_RSA_AES_receiverPK(cipher1)

6 Some even more points to think about Regarding SIGN sk (SHA1(message))  It is a good idea NOT to let the attacker see SHA1(message). SHA1 does not require to reserve COMPLETE confidentiality of the message, i.e. bits may fall into ADV hands message (m) may be of a small set of messages (i.e. S={ “buy”, “sell”, “wait”, “bid” …}). So attacker may be able to calculate:  For each message in S do :SHA1(S[message])  Fix: instead of sending Encryption and Authentication in parallel, Send Encrypt (Message, SHA1(message))

7 Last (but not least) point You wish to achieve verification of: 1. The sender who originated the message 2. The receiver is the intended receiver 3. The message was not altered during transport However, point 2 is not correct from the following scheme. Basically you sign-then-encrypt. Meaning Eve may decrypt the messages sent to her and re-encrypt them and send them forward implicating the original sender.

8 Existential Forgery CMA on Signature Given algorithm A with oracle to D key, i.e. CMA-EF A,,k,q :  (pk, sk)  KG (1 k ); /* k is security parameter */  s  A Sign[sk] (“forge”, pk, 1 k ); /* M is the set of messages chosen by A */  Return “win” if: Ver pub (s)=Ok, and Msg pub (s) was not an input to the Sign oracle, and There were at most q queries to the Sign oracle. Exercise: Define {selective, random, universal} forgery CMA, KMA

9 Problem Define CMA selective forgery  Given algorithm A with oracle to D key, i.e.  CMA-EF A,,k,q : m  A Choose (M) /* M is the set of messages chosen by A */ (pk, sk)  KG (1 k ); /* k is security parameter */ s  A Sign[sk] (“forge”, pk, 1 k ); Return “win” if:  Ver pub (s)=Ok, and  Msg pub (s) was not an input to the Sign oracle, and  There were at most q queries to the Sign oracle.

10 Problem Design a simple protocol for sending certified using a post-office trusted by sender and recipient. The recipient should receive proof of the sender's identity and time of transmission, which he can later present to the post office. Similarly, the sender should receive proof of the recipient's identify and time of transmission. You may involve the post-office in the protocol do not use public key cryptography and do not require the post-office to maintain long-term records.

11 Solution Let there be 3 parties: Alice, Bob and PostOffice. The following are keys for the parties:  kp: shared among Alice, Bob and Post  kpr: secret key of Post When Post send Message to sender, it delivers  MAC kp (message,date,receiver,sender) – for receiver to verify delivery  MAC kpr (message,date,receiver,sender) – for proof of delivery (receipt) Verification: The receipt is sent to the post office along with the message and ids of sender and receiver. Verification is done on MAC kpr

12 Problem Describe the full solution for the protocol, i.e. the safe transport of messages from Alice, using Post to send message to Bob. This without Eve being able to know Message or forge message.

13 Problem Consider RSA signatures where messages are hashed and then raised by the private key  Sign d (m)=(h(m)) d mod n. Show a weakness with these signatures, when h() is not Multiplicative-resistant hash function  Multiplicative(a,b,c)=True if and only if ab=c.

14 Solution Using RSA multiplicative weakness In case a non multiplicative resistant hash is used ADV can multiply the messages again and again and forge as many as he/she wants. This may be the case for any message signed by the signer.