Secure password-based cipher suite for TLS: The importance of end-to-end security Marie L.S. Dumont CS 265.

Slides:



Advertisements
Similar presentations
SSL/TLS Protocol Network Security Gene Itkis. Basic paradigmatic application: on-line purchase Client contacts Server (possibly for the first time) Spontaneity.
Advertisements

1 Lecture 12 SSL/TLS (Secure Sockets Layer / Transport Layer Security) CIS CIS 5357 Network Security.
TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Web security (Spoofing & TLS & DNS) Ge Zhang. Web surfing yahoo IP of yahoo? Get index.htm from Response from
Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.
Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.
Lecture 7: Transport Level Security – SSL/TLS CS 336/536: Computer Network Security Fall 2013 Nitesh Saxena Adopted from previous lecture by Tony Barnard.
17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.
Internet Security CSCE 813 Transport Layer Security
SSL: Secure Sockets Layer
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
Slide 1 Vitaly Shmatikov CS 378 SSL/TLS. slide 2 What is SSL / TLS? uTransport Layer Security protocol, version 1.0 De facto standard for Internet security.
1 SSL/TLS 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.
COMP043-Cryptology Week 4 – Certs and Sigs. Digital Signatures Digital signatures provide –Integrity –Authenticity and –Non-repudiation How do they work?
December 2006Prof. Reuven Aviv, SSL1 Web Security with SSL Prof. Reuven Aviv Dept. of Computer Science Tel Hai Academic College.
We leave the world of cryptography for a while.
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
A Survey of WAP Security Architecture Neil Daswani
Intro to SSL/TLS Network Security Gene Itkis. 6/14/2015 Gene Itkis: CS558 Network Security 2 Origins Internet Engineering Task Force (IETF) –
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
0 SSL3.0 / TLS1.0 Secure Communication over Insecure Line.
Intro to SSL/TLS Network Security Gene Itkis. 6/23/2015 cs Network Security (Gene Itkis) 2 Origins Internet Engineering Task Force (IETF) –
IEEE Wireless Local Area Networks (WLAN’s).
May 21, 2002Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
Announcement Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed. 1.
11 Secure Sockets Layer (SSL) Protocol (SSL) Protocol Saturday, University of Palestine Applied and Urban Engineering College Information Security.
SSL and https for Secure Web Communication CSCI 5857: Encoding and Encryption.
Secure Socket Layer (SSL)
SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
KAIS T Security architecture in a multi-hop mesh network Conference in France, Presented by JooBeom Yun.
Proposed Transport Layer Security (TLS) Evidence Extensions Russ Housley IETF 67 – TLS WG Session.
1 /10 Pascal URIEN, IETF 66 h, Wednesday July 12 th,Montreal, Canada draft-urien-badra-eap-tls-identity-protection-00.txt
Web Security : Secure Socket Layer Secure Electronic Transaction.
C HAPTER 15 MACs and Signatures Slides adapted from "Foundations of Security: What Every Programmer Needs To Know" by Neil Daswani, Christoph Kern, and.
December 2008Prof. Reuven Aviv, SSL1 Web Security with SSL Network Security Prof. Reuven Aviv King Mongkut’s University of Technology Faculty of information.
Web Security Network Systems Security
8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 part 3: Securing TCP.
SARVAJANIK COLLEGE OF ENGINEERING & TECHNOLOGY. Secure Sockets Layer (SSL) Protocol Presented By Shivangi Modi Presented By Shivangi ModiCo-M(Shift-1)En.No
SSL (TLS) Part 2 Generating the Premaster and Master Secrets + Encryption.
TLS user mapping hint extension Stefan Santesson Microsoft.
SMUCSE 5349/7349 SSL/TLS. SMUCSE 5349/7349 Layers of Security.
Secure Sockets Layer (SSL) Protocol by Steven Giovenco.
1 SSL/TLS. 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.
1 Chapter 7 WEB Security. 2 Outline Web Security Considerations Secure Socket Layer (SSL) and Transport Layer Security (TLS) Secure Electronic Transaction.
Secure Socket Layer SSL and TLS. SSL Protocol Peer negotiation for algorithm support Public key encryptionPublic key encryption -based key exchange and.
Mar 28, 2003Mårten Trolin1 This lecture Certificates and key management Non-interactive protocols –PGP SSL/TLS –Introduction –Phases –Commands.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
8-1 CSE 4707/5850 Network Security (2) SSL/TLS. 8-2 Think about Google or YouTube  Desired properties  Indeed the other side is Google or YouTube server.
@Yuan Xue CS 285 Network Security Key Distribution and Management Yuan Xue Fall 2012.
Secure Socket Layer Protocol Dr. John P. Abraham Professor, UTRGV.
@Yuan Xue CS 285 Network Security Secure Socket Layer Yuan Xue Fall 2013.
Apr 1, 2003Mårten Trolin1 Previous lecture Certificates and key management Non-interactive protocols –PGP SSL/TLS –Introduction –Phases –Commands.
TLS/SSL Protocol Presented by: Vivek Nelamangala Includes slides presented by Miao Zhang on April Course: CISC856 - TCP/IP and Upper Layer Protocols.
Mark Brown RedPhone Security
CSCE 715: Network Systems Security
CSE 4095 Transport Layer Security TLS, Part II
Chapter 7 WEB Security.
Security at the Transport Layer: SSL and TLS
SSL Protocol Figures used in the presentation
Chapter 7 WEB Security.
Presentation transcript:

Secure password-based cipher suite for TLS: The importance of end-to-end security Marie L.S. Dumont CS 265

Why integration of DH-EKE in TLS?  Case Study: Web Banking –Authentication, Confidentiality and Integrity  Sending passwords on one-way authenticated SSL Channels Heavy burden on the user  SSL with Client Certification Requires proper protection of client’s keys  SSL Channels with DH-EKE passwords Resistant to (offline) dictionary attack Eliminates the requirement of a PKI

Diffie-Hellman Encrypted Key Exchange (DH-EKE) Client Server (password pwd) x  Z p-1 Ê pwd (h x ) y  Z p-1, K mstr  (h x ) y, C 1  domain(E) Ê pwd (h y ), E Kmstr (C 1 ) K mstr  (h y ) x, C 2  domain(E) E Kmstr (C 1, C 2 ) verify response E Kmstr (C 2 ) verify response

Refined DH-EKE Client Server (password pwd) (password pwd) x  Z p-1 K auth = H 1 (pwd, ID C, ID S ) Ê Kauth (h x ) y  Z q, K auth = H 1 (pwd, ID C, ID S ) K mstr  (h x ) (y((p-1)/q)) K conf  G 1 (K mstr ), K sess  G 2 (K mstr ) g y, MAC Kconf (“1”, Ê Kauth (h x ), g y ) K mstr  (g y ) (x (mod q)) K conf  G 1 (K mstr ), K sess  G 2 (K mstr ) abort if MAC not ok MAC Kconf (“2”, Ê Kauth (h x ), g y ) abort if MAC not OK

Overview of TLS Client Server ClientHello ServerHello, Certificate *, ServerKeyExchange *, CertificateRequest *, ServerHelloDone Certificate *, ClientKeyExchange, CertificateVerify *, [ChangeCipherSpec], Finished [ChangeCipherSpec] Finished Application Data  

Integration of DH-EKE in TLS Client Server (password pwd) (v = g * Kvrfy, K auth ) ClientHello choose y, y ’ ε R Z q ServerHello, ServerKeyExchange (g y, g * y’ ), ServerHelloDone derive K auth and K vrfy from pwd and choose, x ε R Z p-1 ClientKeyExchange (Ê Kauth ( h x )) calculate premaster secret pms = H 3 ((h x ) (y(p-1/q)),v y’ ) [ChangeCipherSpec], Finished (MAC G3(pms) (Ê Kauth ( h x ), g y, …)) calculate premaster secret pms = H 3 ((g y ) (x (mod q)), (g * y’ ) Kvrfy ) accept if Finished OK [ChangeCipherSpec], Finished (MAC G4(pms) (Ê Kauth (h x ), g y, …)) accept if Finished OK Application Data  

Notations p, qPrimes gGenerator in Z p hGenerator in subgroup G of Z p with order q x, y Secret exponent  R Z q pwdPassword / weak secret K auth Key derived from password (= H 1 (pwd, ID C, ID S )) vVerifier derived from password via one-way function E pwd Symmetric encryption with password as shared key MAC k (…)Message Authentication Code on … with key k HiHi Pseudo-randon functions GiGi Key derivation functions K mstr Master key for a session K conf Handshake confirmation key K sess Session key

Conclusion  Password-based protocols can be made secure no (trusted) storage minimal in Infrastructure requirements  Integration of DH-EKE in TLS is as non-intrusive as possible requires minimal number of flows has competitive performance

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.