Chapter 3: Basic Protocols Dulal C. Kar. Key Exchange with Symmetric Cryptography Session key –A separate key for one particular communication session.

Slides:



Advertisements
Similar presentations
Chapter 10 Real world security protocols
Advertisements

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
CSC 474 Information Systems Security
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
Interlock Protocol - Akanksha Srivastava 2002A7PS589.
Basic Protocols Schneier Ch. Three. Key Exchange w/ Symmetric Crypto 1.Desire A and B on network, sharing secret key with KDC. How??? 2.A request session.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
1 Chapter 13 – Digital Signatures & Authentication Protocols Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,
Computer Security Key Management
 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.
SMUCSE 5349/73491 Authentication Protocols. SMUCSE 5349/73492 The Premise How do we use perfect cryptographic mechanisms (signatures, public-key and symmetric.
Chap 3: Key exchange protocols In most systems, we distinguish the short term keys from the long term ones: –A short term key (session key) is used to.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
More on AuthenticationCS-4513 D-term More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.
Chapter 9 Cryptographic Protocol Cryptography-Principles and Practice Harbin Institute of Technology School of Computer Science and Technology Zhijun Li.
Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.
Strong Password Protocols
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Page 1 Secure Communication Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.
Pretty Good Privacy by Philip Zimmerman presented by: Chris Ward.
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
Part Two Network Security Applications Chapter 4 Key Distribution and User Authentication.
Network and Communications Network Security Department of Computer Science Virginia Commonwealth University.
Chapter 4: Intermediate Protocols
Symmetric versus Asymmetric Cryptography. Why is it worth presenting cryptography? Top concern in security Fundamental knowledge in computer security.
COEN 351 E-Commerce Security Essentials of Cryptography.
Chapter 2: Protocol Building Blocks
Authentication: keys, MAC, hashes, message digests, digital signatures.
Lecture 11: Strong Passwords
4 th lecture.  Message to be encrypted: HELLO  Key: XMCKL H E L L O message 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message + 23 (X) 12 (M) 2 (C) 10 (K) 11.
Based on Schneier Chapter 5: Advanced Protocols Dulal C. Kar.
Using Cryptography for Network Security Common problems: –Authentication - A and B want to prove their identities to one another –Key-distribution - A.
Software Security Seminar - 1 Chapter 5. Advanced Protocols 조미성 Applied Cryptography.
Cryptography and Network Security Chapter 13 Fourth Edition by William Stallings.
PUBLIC-KEY CRYPTOGRAPH IT 352 : Lecture 2- part3 Najwa AlGhamdi, MSc – 2012 /1433.
Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.
Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.
Based on Bruce Schneier Chapter 8: Key Management Dulal C Kar.
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Digital Signatures, Message Digest and Authentication Week-9.
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
Protocols Chapter 2 Protocol: A series of steps, involving two or more parties, designed to accomplish a task. All parties involved must know the protocol.
1 Needham-Schroeder A --> S: A,B, N A S --> A: {N A,B,K AB,{K AB,A} KBS } KAS A --> B:{K AB,A} KBS B --> A:{N B } KAB A --> B:{N B -1} KAB.
Using Cryptography for Network Security Common problems: –Authentication - A and B want to prove their identities to one another –Key-distribution - A.
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
15-499Page :Algorithms and Applications Cryptography I – Introduction – Terminology – Some primitives – Some protocols.
A A E E D D C C B B # Symmetric Keys = n*(n-1)/2 F F
1 Chapter 10: Key Management in Public key cryptosystems Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Modified by Prof. M. Singhal,
The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Authentication Protocols (I): Secure Handshake.
COEN 351 E-Commerce Security
Software Security Seminar - 1 Chapter 4. Intermediate Protocols 발표자 : 이장원 Applied Cryptography.
1 Chapter 3-3 Key Distribution. 2 Key Management public-key encryption helps address key distribution problems have two aspects of this: –distribution.
Diffie-Hellman Key Exchange first public-key type scheme proposed by Diffie & Hellman in 1976 along with the exposition of public key concepts – note:
9.2 SECURE CHANNELS JEJI RAMCHAND VEDULLAPALLI. Content Introduction Authentication Message Integrity and Confidentiality Secure Group Communications.
Chapter 3 Basic Protocols. 3.1 Key Exchange n Session Key - Why? n Key Exchange with Symmetric Cryp. KDC request E KA (K AB ), E KB (K AB ) E KB (K AB.
Department of Computer Science Chapter 5 Introduction to Cryptography Semester 1.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
Software Security Seminar - 1 Chapter 2. Protocol Building Blocks 발표자 : 최두호 Applied Cryptography.
Fourth Edition by William Stallings Lecture slides by Lawrie Brown
Computer Communication & Networks
AIT 682: Network and Systems Security
Presentation transcript:

Chapter 3: Basic Protocols Dulal C. Kar

Key Exchange with Symmetric Cryptography Session key –A separate key for one particular communication session Assume Alice and Bob share a secret key with KDC (Trent) Protocol 1.Alice asks Trent for a session key to communicate with Bob 2.Trent generates a random session key and encrypts two copies of the a random session key, one with Alice’s key and the other with Bob’s key. Trent sends both copies to Alice. 3.Alice decrypts her copy of the session key and sends Bob his copy of the session key 4.Bob decrypts his copy of the session key

Key Exchange with Public-Key Cryptography 1.Alice gets Bob’s public key from the KDC 2.Alice generates a random session key, encrypts it using Bob’s public key and sends it to Bob 3.Bob then decrypts Alice’s message using his private key In practical implementations, signed public keys are maintained in a secure database The protocol is subject to man-in-the-middle attack. How?

Interlock Protocol (Rivest and Shamir) 1.Alice sends Bob her public key 2.Bob sends Alice his public key 3.Alice encrypts her message using Bob’s public key. She sends half of the encrypted message to Bob 4.Bob encrypts his message using Alice’s public key. He sends half of the encrypted message to Alice 5.Alice sends the other half of her encrypted message to Bob 6.Bob puts the two halves of Alice’s message together and decrypts it with his private key. Bob sends the other half of his encrypted message to Alice 7.Alice puts the two halves of Bob’s message together and decrypts it with her private key Has a good chance of foiling man-in-the-middle attack. How? –Mallory can substitute his own public keys for Alice’s and Bob’s in steps (1) and (2) –Cannot decrypt half of Alice’s message and reencrypt it with Bob’s public key. He must invent a totally new message and send half of it to Bob Important point –Half of the message is useless without the other half, it cannot be decrypted

Key Exchange with Digital Signature Circumvents man-in-the-middle attack Trent signs both Alice’s and Bob’s public keys When Alice and Bob receive the keys, each of them verifies Trent’s signature

Key and Message Transmission Without key-exchange protocol 1.Alice generates a random session key, K, and encrypts M using K. E K (M). 2.Alice gets Bob’s public key from the database and encrypts K with Bob’s public key. E B (K) 3.Alice sends both the encrypted message and encrypted session key to Bob. E K (M), E B (K) 4.Bob decrypts Alice’s session key, using his private key 5.Bob decrypts Alice’s message using the session key. Can be combined with digital signatures, timestamps, and any other security protocols

Key and Message Broadcast A protocol to send encrypted message M to Bob, Carol, and Dave 1.Alice encrypts M using random session key K. E K (M) 2.Alice encrypts K with Bob’s public key, encrypts K with Carol’s public key, and then encrypts K with Dave’s public key. E B (K), E C (K), E D (K) 3.Alice broadcasts E B (K), E C (K), E D (K), E K (M) 4.Only Bob, Carol, and Dave can decrypt K and message using K

Authentication Using One-way Function Protocol 1.Alice sends the host her password 2.Host performs a one-way function on the password and compares the value with the previously stored one Dictionary attack and salt –Salt is a random string concatenated with passwords –Most UNIX systems use only 12 bits of salt

SKEY An authentication program (For more details check: bin/man.cgi?query=skey&sektion=1) bin/man.cgi?query=skey&sektion=1 Makes use of one-way function, f Mechanism –To setup the system, Alice enters a random number –Computer computes x1 = f(R), x2 = f(f(R)), x3 = f(f(f(R))), and so on, about a hundred times –Alice receives the list of numbers x 1,..., x 100 and computer stores x 101 for Alice –To login Alice sends x 100 ; computer calculates f(x 100 ) and compares with x 101 –Computer replaces x 101 with x 100 and Alice crosses of x 100 –To login next time Alice will send x 99 –Alice has to reinitialize the system once she runs out of all

Authentication Using Public-key Cryptography Passwords using one-way functions are visible on the data path Public key cryptography solves the problem 1.Host sends Alice a random string 2.Alice encrypts the string with her private key and sends it back to host, along with her name 3.Host decrypts the message using Alice’s public key 4.If the decrypted string matches what the host sent Alice, the host allows access the system It is foolish to encrypt arbitrary strings sent by any third party. Why?

Mutual Authentication Using the Interlock Protocol Protocol 1.Alice and Bob trade public keys 2.Alice encrypts her password P A with Bob’s public key and sends it to him. 3.Bob encrypts his password P B with Alice’s public key and sends it to her 4.Each one verifies other Vulnerable to man-in-the-middle attack. How?

Symmetric Key Identification (SKID) SKID2 –Assume both Alice and Bob share a secret key, K –Allows Bob to prove his identity. How? –Protocol 1.Alice sends a random number, R A to Bob 2.Bob chooses a random number, R B and sends Alice: R B, H K (R A,R B,B), Where H K is the MAC and B is Bob’s name 3.Alice computes H K (R A,R B,B) and compares it with what she received from Bob to verify his identity

Authentication and Key Exchange Symbols AAlice’s name BBob’s name E A Encryption with a key Trent shares with Alice E B Encryption with a key Trent shares with Bob IIndex number KA random session key LLifetime T A, T B A timestamp R A, R B A random number, called a nonce, chosen by Alice and Bob respectively

Authentication and Key Exchange : Wide-Mouth Frog Simplest symmetric-key management protocol Uses a trusted server (Trent) Protocol 1.Alice sends to Trent: A, E A (T A,B,K) 2.Trent decrypts it and sends Bob: E B (T B, A, K) The protocol has several problems 1.A global clock is required 2.Trent has access to all keys 3.Shared key between Alice and Bob is completely determined by Alice (Can you trust Alice’s judgment?)

Authentication and Key Exchange: Yahalom Assumption: –Both Alice and Bob share a secret key with Trent Protocol –Alice sends Bob: A,R A –Bob sends to Trent: B, E B (A,R A,R B ) –Trent sends two messages to Alice: E A (B, K, R A, R B ), E B (A, K) –Alice extracts K from first message and confirms the value of R A. Alice sends Bob two messages: E B (A,K), E K (R B ) –Bob extracts K and confirms the value of R B Novelty of the protocol –Bob is the first one to contact Trent, who only sends one message to Alice

Authentication and Key Exchange: Kerberos Basic Kerberos 5 protocol 1.Alice sends to Trent: A,B 2.Trent sends two messages to Alice: E A (T,L,K,B), E B (T,L,K,A) 3.Alice sends two messages to Bob: E K (A,T), E B (T,L,K,A) 4. Bob sends Alice an encrypted message with the timestamp plus one: E K (T+1) Assumption: all clocks are synchronized with Trent’s clock

Authentication and Key Exchange: DASS Distributed Authentication Security Service (DASS) protocols Developed by digital equipment corporation DASS uses both public key and symmetric key cryptography Alice and Bob each have a private key Trent has signed copies of their public keys

Authentication and Key Exchange: DASS (cont’d) Alice sends Trent a message with Bob’s name: B Trent sends Alice: S T (B,K B ) Alice verifies Trent’s signature, generates session key, K and a random public-key/private-key pair, K P and sends three messages to Bob: E K (T A ), S KA (L,A,K P ), S KP (E KB (K)) Bob sends Trent: A Trent sends Bob: S T (A,K A ) Bob verifies Trent’s signature and confirm K A, verifies Alice’s signature and recovers K P and then verifies and recovers K. Then Bob decrypts T A to make sure this is a current message If mutual authentication required, Bob sends Alice: E K (T B ) Alice decrypts T B to make sure that the message is current

Authentication and Key Exchange: Woo-Lam Uses public-key cryptography 1.Alice sends Trent: A, B 2.Trent sends Alice: S T (K B ) 3.Alice verifies Trent’s signature and sends Bob: E KB (A,R A ) 4.Bob sends Trent: A,B,E KT (R A ) 1.Where K T is Trent’s public key 5.Trent sends Bob: S T (K A ), E KB (S T (R A,K,A,B)) 6.Bob verifies Trent’s signature and sends Alice: E KA (S T (R A,K,A,B),R B ) 7.Alice verifies Trent’s signature and her random number and sends Bob: E K (R B ) 8.Bob decrypts and verifies his random number

Secret Splitting Take a message and divide it up into pieces Each piece (called share) by itself has no information Simplest secret sharing scheme 1.Trent generates a random-bit string, R, the same length as the message, M. 2.Trent XOR’s M with R to generate S. 3.Trent gives R to Alice and S to Bob To reconstruct –Alice and Bob XOR their pieces Can be generalized to any number of shares This is an adjudicated protocol Problem with this protocol –Loss of a share will cause loss of the message entirely –One shareholder can subvert

Secret Sharing (m,n)-threshold scheme –Take any message and divide it into n pieces (called shares or shadows) such that any m of them can be used to reconstruct the message General threshold schemes are more versatile Variations of Secret Sharing Schemes –Secret sharing with cheaters –Secret sharing without Trent –Sharing a secret without revealing the shares –Verifiable secret sharing Allows each of the shareholders verify the validity of the share without revealing the secret –Secret-sharing schemes with prevention –Secret sharing with disenrollment Allows a new sharing scheme to be activated once one of the participants becomes untrustworthy

Cryptographic Protection of Databases Examples –Data security, privacy –Protecting mailing lists