國立清華大學資訊工程系資訊安全實驗室孫宏民 Phone: 03-5742968 Network Security --- Network Security --- Key Establishment Protocols.

Slides:

Advertisements

Similar presentations

Digital Signatures and Hash Functions. Digital Signatures.

Advertisements

NSRC Workshop Some fundamental security concerns... Confidentiality - could someone else read my data? Integrity - has my data been changed? Authentication.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

Web Security for Network and System Administrators1 Chapter 4 Encryption.

1 Three-Party Encrypted Key Exchange Without Server Public-Keys C. L. Lin, H. M. Sun, M. Steiner, and T. Hwang IEEE COMMUNICATIONS LETTER, VOL. 5, NO.12,

1 資訊安全 Network Security Instructor: 孫宏民 Room: EECS 6402, Tel: , Fax :

ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Cryptography Basic (cont)

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

Network Security--- User Authentication and Key Agreement Protocols

Henric Johnson1 Chapter3 Public-Key Cryptography and Message Authentication Henric Johnson Blekinge Institute of Technology, Sweden

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

Csci5233 Computer Security & Integrity 1 Cryptography: Basics (2)

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

國立清華大學資訊工程系資訊安全實驗室孫宏民博士 Phone: Authenticated Key Exchange Protocols.

Cryptography April 20, 2010 MIS 4600 – MBA © Abdou Illia.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Authentication System

TrustPort Public Key Infrastructure. Keep It Secure Table of contents  Security of electronic communications  Using asymmetric cryptography.

Computer Science CSC 774Dr. Peng Ning1 CSC 774 Advanced Network Security Topic 2. Review of Cryptographic Techniques.

Lecture 4 Cryptographic Tools (cont) modified from slides of Lawrie Brown.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.5 Public Key Algorithms.

1 Chapter 4 Encryption. 2 Objectives In this chapter, you will: Learn the basics of encryption technology Recognize popular symmetric encryption algorithms.

Introduction to Public Key Cryptography

Public Key Model 8. Cryptography part 2.

1 Fluency with Information Technology Lawrence Snyder Chapter 17 Privacy & Digital Security Encryption.

Sorting Out Digital Certificates Bill blog.codingoutloud.com ··· Boston Azure ··· 13·Dec·2012 ···

CS5204 – Fall Cryptographic Security Presenter: Hamid Al-Hamadi October 13, 2009.

1 Public-Key Cryptography and Message Authentication Ola Flygt Växjö University, Sweden

Chi-Cheng Lin, Winona State University CS 313 Introduction to Computer Networking & Telecommunication Network Security (A Very Brief Introduction)

Lecture 19 Page 1 CS 111 Online Symmetric Cryptosystems C = E(K,P) P = D(K,C) E() and D() are not necessarily the same operations.

Network Security. Cryptography Cryptography functions Secret key (e.g., DES) Public key (e.g., RSA) Message digest (e.g., MD5) Security services Privacy:

每时每刻可信安全 1The DES algorithm is an example of what type of cryptography? A Secret Key B Two-key C Asymmetric Key D Public Key A.

Cryptography, Authentication and Digital Signatures

Lecture 11: Strong Passwords

Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.

Networks Management and Security Lecture 3.

CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.

4 th lecture.  Message to be encrypted: HELLO  Key: XMCKL H E L L O message 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message + 23 (X) 12 (M) 2 (C) 10 (K) 11.

Module 3 – Cryptography Cryptography basics Ciphers Symmetric Key Algorithms Public Key Algorithms Message Digests Digital Signatures.

BASIC CRYPTOGRAPHIC CONCEPTS. Public Key Cryptography  Uses two keys for every simplex logical communication link.  Public key  Private key  The use.

1 Public-Key Cryptography and Message Authentication.

Chapter 16 Security Introduction to CS 1 st Semester, 2012 Sanghyun Park.

11-Basic Cryptography Dr. John P. Abraham Professor UTPA.

Symmetric Cryptography, Asymmetric Cryptography, and Digital Signatures.

CIST/ETRI/ISIT/KDDI/Kyusyu Univ./NICT Joint Research Workshop on Ubiquitous Network Security 2005 Verifier-Based Password-Authenticated Key Exchange Jeong.

Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.

Privacy versus Authentication Confidentiality (Privacy) –Interceptors cannot read messages Authentication: proving the sender’s identity –The Problem of.

Lecture 2: Introduction to Cryptography

Cryptography 1 Crypto Cryptography 2 Crypto  Cryptology  The art and science of making and breaking “secret codes”  Cryptography  making “secret.

31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

Chapter 3 – Public Key Cryptography and RSA (A). Private-Key Cryptography traditional private/secret/single-key cryptography uses one key shared by both.

14-1 Last time Internet Application Security and Privacy Basics of cryptography Symmetric-key encryption.

Security fundamentals Topic 4 Encryption. Agenda Using encryption Cryptography Symmetric encryption Hash functions Public key encryption Applying cryptography.

Intro to Cryptography Lesson Introduction

Secure Messenger Protocol using AES (Rijndael) Sang won, Lee

Password-based user authentication and key distribution protocols for client-server applications Authors: Her-Tyan Yeh and Hung-Min Sun Sources: The Journal.

EE 122: Lecture 24 (Security) Ion Stoica December 4, 2001.

Cryptographic Security Aveek Chakraborty CS5204 – Operating Systems1.

 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.

Department of Computer Science Chapter 5 Introduction to Cryptography Semester 1.

Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.

CS480 Cryptography and Information Security Huiping Guo Department of Computer Science California State University, Los Angeles 14. Digital signature.

Computer Communication & Networks

Public Key Encryption and Digital Signatures

Presentation transcript:

國立清華大學資訊工程系資訊安全實驗室孫宏民 Phone: Network Security --- Network Security --- Key Establishment Protocols

第 2 頁 Outline  Basic Cryptographic Concept  Symmetric Encryption  Asymmetric Encryption  Digital Signature  Encrypted Key Exchange (EKE)  Conclusions

第 3 頁 Cryptographic System

第 4 頁 1. Confidentiality (Secrecy): The intruder cannot read the encrypted message from the ciphertext. 2. Authentication: It should be possible for the receiver of a message to ascertain its origin; an intruder should not be able to masquerade as someone else. 3. Integrity: It should be possible for the receiver of a message to verify that it has not been modified in transit; an intruder cannot substitute a false message for a legitimate one. 4. Nonrepudiation: A sender should not be able to falsely deny later that he sent a message. Four Basic Services of Cryptography :

第 5 頁 Plaintext(M) M Ciphertext(C) K1K1 K2K2 Encryption Decryption Cryptanalyst  Symmetric Cryptosystem: The encryption & decryption keys are the same. (E K (M)= C & D K (C)= M).  Asymmetric Cryptosystem: Encryption & decryption keys are different. (E K1 (M)=C & D K2 (C)=M) The encryption key is public, while the decryption key can not be calculated from the public key. Cryptographic System

第 6 頁 Symmetric Cryptosystem  DES (1977)  IDEA (1992)  RC5 (1994)  AES (2001)

第 7 頁 Security Service: Confidentiality Authentication  Integrity Advantage ： High Speed Disadvantages ：  how to obtain a common secret key between two parities, the number of secret keys is too big, can not achieve nonrepudiation. Symmetric Cryptosystem

第 8 頁 Asymmetric Cryptosystem RSA (1978) El-Gamal (1984) McEliece (1978) Knapsack (1978)

第 9 頁 Security Service: Confidentiality Integrity Authentication (by Signature) Nonrepudiation (by Signature) Advantage ： a pair of keys for each user Disadvantages ： Slow speed Public key need to be authenticated by CA Asymmetric Cryptosystem

第 10 頁 RSA (Encryption & Decryption) Public key: n = pq, p and q are large primes (512 bit), e ( gcd (e, (p-1)(q-1)) =1) Private key: d, where ed = 1 mod (p-1)( q-1) Encryption: C=M e mod n Decryption: M= C d mod n p=47, q=71, => n=3337 e=79, => d = 1019 M=688 Encryption: C=M e mod n = mod 3337 = 1570 Decryption: M= C d mod n = mod 3337 = 688

第 11 頁 One-way hash function  Input: X (unlimited length) Output: Y=H(X) (fixed length, e.g., 160 bit) Given X, it is easy to compute Y. Given Y, and H( ), it is computational infeasible to compute X.  Given X and Y, it is computational infeasible to find X’ such that Y=H(X’).

第 12 頁 Message Signature(S) M Signer AVerifier B Signature Generation Private Key Signature Verification Public Key Ture or False Digital Signature

第 13 頁 Hash Functions : SHA MD5 FFT Snefru N Hash Hash Signature Functions : RSA DSA El-Gamal Elliptive Curve LUC Digital Signature M h(M) S S M

第 14 頁 Public key: n = pq, p and q are large primes (512 bit), e ( gcd (e, (p-1)(q-1)) =1), h is a hash function. Private key: d, where ed = 1 mod (p-1)( q-1) Sign: S= h(M) d mod n Verify: h(M) = S e mod n RSA Digital Signature

第 15 頁 Secure Communication between Client and Server  Using Symmetric Cryptosystem: Each client and the server share a common secret key. Disadvantages: 1. Secret key must be strong 2. If the secret key is revealed, the messages in the past will also be revealed. ClientServer E k (M’) ID c, E k (M)

第 16 頁 Secure Communication between Client and Server  Using Asymmetric Cryptosystem: Encryption + Signature (See next page) Disadvantages: 1. Public keys need to be authenticated by a CA. 2. Private key must be strong. 3. If the server’s private key is revealed, the messages in the past will also be revealed.

第 17 頁 Secure Communication between Client and Server

第 18 頁 User Authentication in general  Based on one or more of: something a user has (smart card/token card) something a user is (fingerprint/voiceprint/retinal scan) something a user knows (password/short secret)  What’s a popular user authentication system based on three of these?

第 19 頁 Secure Password Authentication  Remote user access  Goal: to be secure without requiring the user to carry/remember anything except password Remote clientFirewall protected domain VPN traffic (authenticated using password)

第 20 頁 Dictionary Attacks (Password Guessing Attacks)  An off- line, brute force guessing attack conducted by an attacker on the network.  Attacker usually has a “dictionary” of commonly-used passwords to try  People pick easily remembered passwords  “Easy- to- remember” is also “easy- to- guess”

第 21 頁 Password-based protocols  Telnet, FTP are insecure Client Server ID c, Password Client Server ID c, h(Password)  Hash function is still insecure.

第 22 頁 Password-based Protocol with Challenge  Insecure against the dictionary attacks. Client Server h(Cha,Password) Cha ID

第 23 頁 We need a password-based authentication protocol which is secure against dictionary attacks.

第 24 頁  What to do after authentication?  We need a common session key to protect our communication.  Diffie-Hellman key agreement provides two parties to share a common session key. Secure Communication between Client and Server

第 25 頁 Diffie-Hellman Key Agreement  Goal : to provide two parties share a common session key  p : large prime, g : generator g Ra mod p g Rb mod p K= (g Rb ) Ra mod p K= (g Ra ) Rb mod p ClientServer

第 26 頁 Man-in-the-middle attack

第 27 頁 Diffie-Hellman Key Agreement  Diffie-Hellman key agreement is vulnerable to the man-in- the-middle attack; it does not reach authentication  How about Diffie-Hellman key agreement using public key?  Problem: (1) does not provide forward secrecy, (2) hard to remember (not a password). Client Server

第 28 頁 Research Goal  To design a user authentication and key agreement protocol via password.  The protocol must satisfy the following requirements: 1. based on password only, 2. password may be weak, 3. be secure against the dictionary attack, 4. can provide perfect forward secrecy.

第 29 頁 Encrypted Key Exchange (EKE) [Bellovin and Merritt, 1992]  Two parties share a common password  EKE can withstand dictionary attack P P Generate encrypt/decrypt keys Generate R R(Cha) R(Cha||Chb) R(Chb) ServerClient

第 30 頁 DHEKE [Bellovin and Merritt, 1992]

第 31 頁 Conclusions  Password authentication and key agreement protocols are widely used. EX ： Electronic Commerce, Electronic Stock Trading  Two-party protocols are suitable for client/server environment. EX ： Telnet, FTP  Three-party protocols are suitable for single server and multiple clients environment. Any two clients can authenticate each other and reach secure communication.

第 32 頁 Three-Party Key Exchange Protocol  Each client shares an easy-to-remember password with the server.  The protocol is responsible for establishing secure communication between two clients via the help of the server.  Application: E.g., ICQ, or mobile users

第 33 頁 STW-3PEKE [Steiner, Tsudik, and Waidner, 1995] ASBASB

第 34 頁 Undetectable On-line guessing attack (I) [Ding and Horster, 1995] ASBASB record guess get

第 35 頁 Undetectable On-line guessing attack (II) [Ding and Horster, 1995] SBSB guess compute

第 36 頁 Off-line Guessing Attack on STW-3PEKE [Lin, Sun, and Hwang, 2000] A*S*B

第 37 頁 LSH-3PEKE (with server’s public key) [Lin, Sun, and Hwang, 2000] ASBASB

第 38 頁 LSSH-3PEKE (without server’s public key) [ Lin, Sun, Steiner, and Hwang, 2001] ASBASB A,B

第 39 頁 Performance Comparison

第 40 頁 Verifier-based Protocol  A server does not store plain password directly.  Instead of storing a plain password, a server stores a verifiable text (called verifier).  It provides higher security level: an attacker must perform dictionary attack when the server is corrupted.  Furthermore, a verifier-based protocol can withstand the stolen verifier attack.

第 41 頁 1. Bellovin, S. Merritt, M., 1992, “Encrypted key Exchange: Password-based Protocols Secure against Dictionary Attacks. Proceedings of IEEE Symposium on Research in Security and privacy, Oakland. 2. Steiner, M. Tsudik G. and Waidner, M., 1995, “Refinement and Extension of Encrypted Key Exchange,” ACM Operating Systems Review, Vol.29, Issue 3, pp Ding, Y. and Horster, P., 1995, “Undetectable On-line Password Guessing Attacks”, Technical Report, TR F, July. 4. C. L. Lin, H. M. Sun, and T. Hwang, 2000, Three-Party Encrypted Key Exchange: Attacks and a Solution,” ACM Operating Systems Review, Vol. 34, No. 4, pp C. L. Lin, H. M. Sun, M. Steiner, and T. Hwang, 2001, "Three-party Encrypted Key Exchange Without Server Public-Keys," IEEE Communications Letters, Vol. 5, No. 12, pp C. L. Lin, H. M. Sun, and T. Hwang, 2001, “Efficient and Practical DHEKE Protocols,” ACM Operating Systems Review, Vol. 35, No. 1, pp References