Introduction to Information Security Lecture 6: Other Cryptographic Primitives 2009. 7.

Slides:



Advertisements
Similar presentations
Chapter 3 Public Key Cryptography and Message authentication.
Advertisements

Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Computer Science CSC 474By Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.1 Introduction to Cryptography.
CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.
Digital Signatures and Hash Functions. Digital Signatures.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Cryptography1 CPSC 3730 Cryptography Chapter 6 Triple DES, Block Cipher Modes of Operation.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.
Block Ciphers 1 Block Ciphers Block Ciphers 2 Block Ciphers  Modern version of a codebook cipher  In effect, a block cipher algorithm yields a huge.
Zero Knowledge Proofs By Subha Rajagopalan Jaisheela Kandagal.
1 Lect. 9 : Mode of Operation. 2 Modes of Operation – ECB Mode  Electronic Code Book Mode Break a message into a sequence of plaintext blocks Each plaintext.
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
Cryptography Basic (cont)
Oblivious Transfer based on the McEliece Assumptions
Chapter 5 Cryptography Protecting principals communication in systems.
ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.
McGraw-Hill©The McGraw-Hill Companies, Inc., Security PART VII.
Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Computer Networking Lecture 21: Security and Cryptography Thanks to various folks from , semester’s past and others.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
Public Key Algorithms 4/17/2017 M. Chatterjee.
Module 8 – Anonymous Digital Cash Blind Signatures DigiCash coins.
Computer Science CSC 774Dr. Peng Ning1 CSC 774 Advanced Network Security Topic 2. Review of Cryptographic Techniques.
1 Cryptography Basics. 2 Cryptography Basic terminologies Symmetric key encryption Asymmetric key encryption Public Key Infrastructure Digital Certificates.
1 Introduction to Security and Cryptology Enterprise Systems DT211 Denis Manley.
Digital Cash By Gaurav Shetty. Agenda Introduction. Introduction. Working. Working. Desired Properties. Desired Properties. Protocols for Digital Cash.
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
Cryptography, Authentication and Digital Signatures
Le Trong Ngoc Security Fundamentals Entity Authentication Mechanisms 4/2011.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
11 Identification & ZKIP.  Introduction  Passwords  Challenge-Response  ZKIP 22.
CSCD 218 : DATA COMMUNICATIONS AND NETWORKING 1
CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.
Fall 2004/Lecture 201 Cryptography CS 555 Lecture 20-b Zero-Knowledge Proof.
4 th lecture.  Message to be encrypted: HELLO  Key: XMCKL H E L L O message 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message + 23 (X) 12 (M) 2 (C) 10 (K) 11.
Basic Cryptography 1. What is cryptography? Cryptography is a mathematical method of protecting information –Cryptography is part of, but not equal to,
Encryption Types & Modes Chapter 9 Encryption Types –Stream Ciphers –Block Ciphers Encryption Modes –ECB - Electronic Codebook –CBC - Cipher Block Chaining.
Modes of Operation INSTRUCTOR: DANIA ALOMAR. Modes of Operation A block cipher can be used in various methods for data encryption and decryption; these.
Stream Ciphers and Block Ciphers A stream cipher is one that encrypts a digital data stream one bit or one byte at a time. Examples of classical stream.
Presented by: Suparita Parakarn Kinzang Wangdi Research Report Presentation Computer Network Security.
Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.
1 Lect. 20. Identification. 2  Entity Authentication (Identification) Over the communication network, one party, Alice, shows to another party, Bob,
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
Lecture 2: Introduction to Cryptography
1 Normal executable Infected executable Sequence of program instructions Entry Original program Entry Jump Replication and payload Viruses.
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
11 Identification & ZKIP.  Introduction  Passwords  Challenge-Response  ZKIP 22.
Identification & ZKIP.
Intro to Cryptography Lesson Introduction
Zero Knowledge Proofs Matthew Pouliotte Anthony Pringle Cryptography November 22, 2005 “A proof is whatever convinces me.” -~ Shimon Even.
 5.1 Zero-Knowledge Proofs  5.2 Zero-Knowledge Proofs of Identity  5.3 Identity-Based Public-Key Cryptography  5.4 Oblivious Transfer  5.5 Oblivious.
@Yuan Xue Case Study (Mid-term question) Bob sells BatLab Software License Alice buys BatLab Credit card information Number of.
Department of Computer Science Chapter 5 Introduction to Cryptography Semester 1.
Computer Communication & Networks
مروري برالگوريتمهاي رمز متقارن(كليد پنهان)
PART VII Security.
Counter Mode, Output Feedback Mode
Presentation transcript:

Introduction to Information Security Lecture 6: Other Cryptographic Primitives

2 1.Mode of Operation 2.Blind Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs 5.Identification, Authentication Contents

3 Mode of Operation

4 Modes of Operation – ECB Mode  Electronic Code Book Mode Break a message into a sequence of plaintext blocks Each plaintext block is encrypted (or decrypted) independently The same plaintext block always produces the same ciphertext block May not be secure; e.g., a highly structured message Typically used for secure transmission of single vales (e.g., encryption key) E P1P1 C1C1 E P2P2 C2C2 E PnPn CnCn D D D P1P1 P2P2 PnPn K K...

5 Modes of Operation – CBC Mode  Cipher Block Chaining Mode Each ciphertext block is affected by previous blocks No fixed relationship between the plaintext block and its input to the encryption function The same plaintext block, if repeated, produces different ciphertext blocks IV(Initializing Vector) must be known to both ends Most widely used for block encryption E P1P1 C1C1 E P2P2 C2C2 E PnPn CnCn K... IV D D D K... IV P1P1 P2P2 PnPn C 1 = E K (P 1  IV) P 1 = IV  D K (C 1 ) C 3 = E K (P 3  C 2 ) P 3 = C 2  D K (C 3 ) C 2 = E K (P 2  C 1 ) P 2 = C 1  D K (C 2 ) C 4 = E K (P 4  C 3 ) P 4 = C 3  D K (C 4 )

6 Modes of Operation – CFB Mode  Cipher Feedback Mode A way of using a block cipher as a stream cipher A shift register of block size maintains the current state of the cipher operation, initially set to some IV The value of the shift register is encrypted using key K and the leftmost j bits of the output is XORed with j-bit plaintext P i to produce j-bit ciphertext C i The value of the shift register is shifted left by j bits and the C i is fed back to the rightmost j bits of the shift register Typically j = 8, 16, 32, 64 … Decryption function D K is never used E P1P1 E P2P2 K... IV C1C1 E C2C2 E PnPn E CnCn E P1P1 E P2P2 K... IV C1C1 E C2C2 E PnPn E CnCn

7 Modes of Operation – OFB Mode  Output Feedback Mode The structure is similar to that of CFB, but CFB: Ciphertext is fed back to the shift register OFB: Output of E is fed back to the shift register For security reason, only the full feedback (j = block size) mode is used No error propagation More vulnerable to a message stream modification attack May useful for secure transmission over noisy channel (e.g., satellite communication) E P1P1 E P2P2 K... IV C1C1 E C2C2 E PnPn E CnCn E C1C1 E C2C2 K... IV P1P1 E P2P2 E CnCn E PnPn

8 Modes of Operation – CTS Mode  Ciphertext Stealing Mode Eliminates the padding requirement for block ciphers The same as CBC mode, except for the encryption/decryption of the the last two blocks (one complete block and the remaining partial block) Adopted in H.235 as one of operating modes for block ciphers E P1P1 E P n-1 E PnPn K IV... C n-1 00…0 CnCn C1C1 X E C1C1 C n-1 CnCn K IV... P n-1 PnPn P1P1 X D E D E D 00…0 CnCn X C n-2 * H.235 covers security and encryption for H.323 and other H.245 based terminals. * H.323 covers multimedia communication on any packet network

9 Cryptographic Protocols

10 Typical E-commerce Scenario 카드사용자 1. 거래요청 ( 신용카드정보전송 ) 6. 상품 및 영수증 상점 5. 거래승인 7. 정산요청 2. 거래카드 및 거래정보 Acquiring Bank 3. 승인요청 4. 거래승인 8. 신용카드 대금 청구서 카드 회사 - Combination of lots of computation / communication. - Must be fare to all participating entities

11 Cryptographic Protocols  Cryptographic algorithms Algorithm executed by a single entity Algorithms performing cryptographic functions Encryption, Hash, digital signature, etc…  Cryptographic protocols Protocols executed between multiple entities through pre-defined steps of communication performing security-related functions Perform more complicated functions than what the primitive algorithms can provide Primitives: Key agreement, secret sharing, blind signature, coin toss, secure multiparty computations, etc … Complex application protocols: e-commerce, e-voting, e-auction, etc …

12 Cryptographic Protocols  Protocols Designed to accomplish a task through a series of communication steps, involving two or more entities  Cryptographic Protocols Protocols that use cryptography Non-face-to-face interaction over an open network Cannot trust other entities Entity A Entity B Threat Internet

13 Security Requirements in Protocols Confidentiality Integrity Authentication Non-repudiation Correctness Verifiability Fairness Anonymity Privacy Robustness Efficiency Etc…… Combinations of these requirements according to applications

14 Protocol Primitives  Coin Toss game over Communication Network Two parties play coin toss game over the communication network Can it be made fair?  Blind Signatures Signer signs a document without knowledge of the document and the resulting signature Message and the resulting signature are hidden from the signer Many applications which require anonymity or privacy Digital cash, e-voting  Key Agreements Two or more parties agree on a secret key over communication network in such a way that both influence the outcome. Do not require any trusted third party (TTP)

15 Protocol Primitives  Secret Sharing Distribute a secret amongst a group of participants Each participant is allocated a share of the secret Secret can be reconstructed only when the shares are combined together Individual shares are of no use on their own.  Threshold Cryptography A message is encrypted using a public key and the corresponding private key is shared among multiple parties. In order to decrypt a ciphertext, a number of parties exceeding a threshold is required to cooperate in the decryption protocol.

16 Protocol Primitives  Zero-knowledge Proofs An interactive method for one party to prove to another that a (usually mathematical) statement is true, without revealing anything other than the validity of the statement.  Identification, Authentication Over the communication network, one party, Alice, shows to another party, Bob, that she is the real Alice. Allows one party, Alice, to prove to another party, Bob, that she possesses secret information without revealing to Bob what that secret information is.

17 Application Protocols  Electronic Commerce SET (Secure Electronic Transaction) – Credit card transaction Digital cash, micropayment, e-check, e-money e-auction e-banking  e-government  e-voting  Fair exchange of digital signature (for contract signing)  Application Scenarios  Traditional applications transfer to electronic versions  New applications appear with the help of crypto

18 Blind Signatures

Blind Signature Signing without seeing the message - We should not reveal the content of the letter to the signer. - For example, using a carbon-enveloped message Signature User Signer Signature 1) Send an carbon-enveloped message 2) Sign on the envelop 3) Take off the envelop and get the signed message

20 Motivation of Blind Signature  One interesting question of public key cryptosystem is whether we can use digital signature to create some form of digital currency. The scenario is described as follows: 1)A bank published his public key. 2)When one of his customer makes a withdrawal from his account, the bank provides it with a digitally signed note that specifies the amount withdrawn. 3)The customer can present it to a merchant, who can then verify the bank’s signature. 4)Upon completing a transaction, the vender can then remit the note to the bank, which will then credit the vendor the amount specified in the note. 5)This note is, in effect, a digital monetary instrument, we called it as “Electronic Cash or E-Cash”.  Privacy issue of digital cash??? The bank can easily trace a cash to a specific user.

21 E-Cash Scenario Bank Customer Shop Withdrawal Request E-cash Issuing Payment Deposit Public Key

22 David Chaum’s Blind Signature  David Chaum proposed a very elegant solution to this problem, known as blind signature. He is also named as the “father of E-cash”

23 Blind Signature Blind signature scheme is a protocol that allows the provider to obtain a valid signature for a message m from the signer without him seeing the message and its signature. If the signer sees message m and its signature later, he can verify that the signature is genuine, but he is unable to link the message-signature pair to the particular instance of the signing protocol which has led to this pair. Many applications Useful when values need to be certified, yet anonymity should be preserved e-cash, e-voting

24 Blind Signature Protocol Steps 1)Alice takes the document and uses a “blinding factor” to blind the document. (Blinding Phase) 2)Alice sends the blinded document to Bob and Bob signs the blinded document. (Signing Phase) 3)Alice can remove the blinding factor and obtain the signature on the original document. (Unblinding Phase)

25 RSA-based Blind Signature User Signer Get a signature for a message m. r  Z N * m’ = H(m) r e mod N σ’ = m’ d mod N σ = σ’ r -1 mod N = (H(m) r e ) d r -1 mod N = H(m) d mod N (1) Blinding m’ σ’ (2) Signing σ = σ’ r -1 mod N (3) Unblinding σ is a valid signature of the signer The signer cannot have any information on m and σ.

26 Schnorr-based Blind Signature User Signer (r’,s’) is an unknown signature for the unknown message m (2) Blinding e (3) Signing (4) Unblinding r s (1) Challenge

27 Zero-Knowledge Proofs

28 Interactive Proof Systems Prover Verifier  Verifier is curious about prover’s knowledge.  He will query difficult questions, s.t. the secret should be used to answer.  Should be random questions  Prover knows a secret (precious) information.  Wants to prove that he knows it, but do not want to reveal it. The verifier’s strategy is a probabilistic polynomial-time (PPT) procedure.

29 Ali Baba’s Cave Alice wants to prove to Bob that she knows how to open the secret door between A and B, but will not reveal the secret itself. Procedure – Alice and Bob go to cave – Alice goes to A or B randomly (Bob cannot see) – Bob tells Alice to come from A or B – If Alice knows the secret, she can appear from the correct side of the cave every time Bob repeats as many times until he believe Alice knows the secret to open the secret door How about Trudy? Can he convince Bob without knowing the secret?

30 Interactive Proof Protocol Prover and verifier share common inputs (functions or values) The protocol yields Accept if every Response is accepted by the Verifier Otherwise, the protocol yields Reject P Prover V Verifier Commitment Challenge Response Repeats t rounds Common Inputs Common Inputs

Completeness – If the statement is true, the honest verifier will be convinced of this fact by an honest prover. – Prob[(P,V)(x) = Accept | x  L] ≥ ε where ε  (½,1] Soundness – If the statement is false, no cheating prover can convince the honest verifier that it is true, except with some small probability. – Prob[(¬P,V)(x) = Accept | x  L] ≤ δ where δ  [0,½) Requirements of Interactive Proofs 31

32 Instances of interactive proofs with the following properties: – Completeness – true theorems are provable – Soundness – false theorems are not provable – Zero-Knowledge – No information about the prover’s private input (secret) is revealed to the verifier GMR(Goldwasser, Micali, Rackoff) 1.“The knowledge complexity of interactive-proof systems”, Proc. of 17 th ACM Sym. on Theory of Computation, pp , “The knowledge complexity of interactive-proof systems”, Siam J. on Computation, Vol. 18, pp , 1989 (revised version) Fundamental Theorem [GMR]: “Zero-knowledge proofs exist for all languages in NP” Zero-Knowledge Proofs

How to formalize “Verifier learns nothing”? Simulation Paradigm (informally): Require: anything that can be computed in poly-time by interacting with prover can also be computed in poly-time without interacting with prover. That is, for every poly-time verifier V *, there exists a poly- time simulator S s.t. [output of S(x)]  [output of V * after interacting with P on x]. Defining Zero-Knowledge 33

A prover tries to prove that he knows a discrete logarithm x Proof of Knowledge (of discrete logarithm) Commitment Challenge Response Prover Verifier

35 Example: p=23, g=7, q=22 Key generation x=13, y=20 Prover proves that he knows x=13 corresponding to y=20 without revealing x Commitment Challenge Response Prover Verifier Proof of Knowledge (of discrete logarithm)

36 Prover tries to prove that two discrete logarithms are equal without revealing x Commitment Challenge Response Prover Verifier Proof of Equality of two discrete logarithms

37 Commitment Challenge Response Prover Verifier Proof of Equality of two discrete logarithms

Non-interactive Zero-knowledge (NIZK) proofs using Fiat- Shamir Heuristic Non-Interactive Zero-Knowledge Proof Prover Verifier

39 Identification, Authentication

40  Entity Authentication (Identification) Over the communication network, one party, Alice, shows to another party, Bob, that she is the real Alice. Authenticate an entity by presenting some identification information Should be secure against various attacks Through an interactive protocols using secret information  Message Authentication Show that a message was generated by an entity Using digital signature or MAC Authentication

41  Using Something Known Password, PIN  Using Something Possessed IC card, Hardware token  Using Something Inherent Biometrics Approach for Identification

42 Approach for Identification MethodExamplesReliabilitySecurityCost What you Remember (know) Password Telephone # Reg. # M/L M (theft) L (imperso- nation) Cheap What you have Registered Seal Magnetic Card IC Card M L (theft) M (imperso- nation) Reason- able What you are Bio-metric (Fingerprint, Eye, DNA, face, Voice, etc) H H (theft) H (Imperso- nation) Expen- sive

43  Password-based scheme (weak authentication) –crypt passwd under UNIX –one-time password  Challenge-Response scheme (strong authentication) –Symmetric cryptosystem –MAC (keyed-hash) function –Asymmetric cryptosystem  Using Cryptographic Protocols –Fiat-Shamir identification protocol –Schnorr identification protocol, etc Approach for Identification

44 passwd, A passwd table A h(passwd) ProverVerifier passwd h = A y accept n reject Identification by Password Sniffing attack Replay attack - Static password

45 1. login ID 2. N 4. X N client Hash function f() pass-phrase S Initial Setup 3. compute f N (S) = X N Host compute f(s), f(f(S)),...., X 1,X 2,X 3,...,X N store X N+1 Hash function f() pass-phrase S 5. compute f(X N ) = X N+1 6. compare 7. store S/Key (One-Time Password System)

Commitment Challenge Response Prover Verifier Schnorr Identification

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.