Merkle trees Introduced by Ralph Merkle, 1979 An authentication scheme

Slides:

Advertisements

Similar presentations

An Alternative to Short Lived Certificates By Vipul Goyal Department of Computer Science & Engineering Institute of Technology Banaras Hindu University.

Advertisements

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

CSC 774 Advanced Network Security

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Csci5233 Computer Security1 Bishop: Chapter 10 (Cont.) Key Management: Certificates.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Feb 18, 2003Mårten Trolin1 Previous lecture Block ciphers Modes of operations First assignment Hash functions.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Computer Security Key Management

Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.

CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)

 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

Public Key Management Brent Waters. Page 2 Last Time  Saw multiple one-way function candidates for sigs. OWP (AES) Discrete Log Trapdoor Permutation.

Spring 2002CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

1 Digital Signatures CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 12, 2004.

Encryption An Overview. Fundamental problems Internet traffic goes through many networks and routers Many of those networks are broadcast media Sniffing.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

DSAC (Digital Signature Aggregation and Chaining) Digital Signature Aggregation & Chaining An approach to ensure integrity of outsourced databases.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

DSAC (Digital Signature Aggregation and Chaining) Digital Signature Aggregation & Chaining An approach to ensure integrity of outsourced databases.

Controller of Certifying Authorities PKI Technology - Role of CCA Assistant Controller (Technology) Controller of Certifying Authorities Ministry of Communications.

Bob can sign a message using a digital signature generation algorithm

Mitigating DoS Attacks against Broadcast Authentication in Wireless Sensor Networks Peng Ning, An Liu North Carolina State University and Wenliang Du Syracuse.

Cryptology Digital Signatures and Digital Certificates Prof. David Singer Dept. of Mathematics Case Western Reserve University.

Part Two Network Security Applications Chapter 4 Key Distribution and User Authentication.

CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)

AQA Computing A2 © Nelson Thornes 2009 Section Unit 3 Section 6.4: Internet Security Digital Signatures and Certificates.

Csci5233 Computer Security1 Bishop: Chapter 10 (Cont.) Key Management: Storage & Revoking.

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.

Security Keys, Signatures, Encryption. Slides by Jyrki Nummenmaa ‘

02/22/2005 Joint Seminer Satoshi Koga Information Technology & Security Lab. Kyushu Univ. A Distributed Online Certificate Status Protocol with Low Communication.

Certification asynchrone à grande échelle avec des arbres de vérification de certificats Josep Domingo-Ferrer Universitat Rovira i Virgili

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there.

SECURITY MANAGEMENT Key Management in the case of public-key cryptosystems, we assumed that a sender of a message had the public key of the receiver at.

Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.

Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.

ASYNCHRONOUS LARGE-SCALE CERTIFICATION BASED ON CERTIFICATE VERIFICATION TREES Josep Domingo-Ferrer, Marc Alba and Francesc Sebé Dept. of Computer Engineering.

Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.

31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

1 Network Security Lecture 7 Overview of Authentication Systems Waleed Ejaz

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Network Security Continued. Digital Signature You want to sign a document. Three conditions. – 1. The receiver can verify the identity of the sender.

© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.

1 An Ordered Multi-Proxy Multi-Signature Scheme Authors: Min-Shiang Hwang, Shiang-Feng Tzeng, Shu-Fen Chiou Speaker: Shu-Fen Chiou.

Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.

Pertemuan #8 Key Management Kuliah Pengaman Jaringan.

Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.

TAG Presentation 18th May 2004 Paul Butler

Key management issues in PGP

Security Outline Encryption Algorithms Authentication Protocols

TAG Presentation 18th May 2004 Paul Butler

Josep Domingo-Ferrer Universitat Rovira i Virgili

CS/ECE 478 Introduction to Network Security

Data Integrity: Applications of Cryptographic Hash Functions

Presentation transcript:

Merkle trees Introduced by Ralph Merkle, 1979 An authentication scheme “Classic” cryptographic construction Involves combining hash functions on binary tree structure An authentication scheme Using only one-way hash function as building blocks No number theory or trapdoor permutations An efficient data structure with many practical applications

Merkle tree data structure Binary tree, nodes are assigned (e.g. 160 bit) values Extra, secret values associated to each leaf. xxxxxx Interior nodes v=Hash( vleft || vright ) xxxxxx xxxxxx leaves xxxxx xxxxx xxxxxx xxxxx vi =Hash( si ) xxxxxx xxxxxxx xxxxxx xxxxxxx si secret

Setup Computing the tree and root hash Complexity analysis Select a random (e.g 160 bit) secret S Derive leaf secrets si = h(S || i ) Use hash function to get leaf / interior node values Publish root hash as P as the public key Complexity analysis Tree of height H has N= 2H leaves Nodes at height h will depend on 2h leaf values Obtaining P requires calculating all N leaf values plus 2H-1 more hash function evaluations

Authenticating a secret Prover wishes to reveals si to identify herself Prover sends i,si (each secret used just once) Additional data required:”sibling node” values Verifier checks si against the public key P Hash first si Hash result together with its sibling in tree Repeat, moving up tree Check result with root This scheme can be used as a one-time key scheme The secret si is used only once

Sibling node values required xxxxxx Root value is public H Sibling nodes required to authenticate secret xxxxxx xxxxxx H xxxxx xxxxx H xxxxxx Verify secret value by hashing, then hashing together with sibling, etc. Accept if the computed root hash matches with the root value s0

Data authentication using Merkle tree Authenticate that a piece of data is in the tree

How to use Merkle hash tree for efficient public key revocation? Key revocation problem Certificates invalidated before expiration Usually due to compromised key May be due to change in circumstance (e.g., someone leaving company) The certificate authority needs to answer queries about key revocation status has key A been revoked or not? CA responses with Yes or No along with a proof The proof is for the protection of message integrity A naïve sign-all approach requires CA to sign each response Merkle hash tree significantly improves the efficiency and only requires one signature on the root hash How to prove something is not on the tree? Hint: items can be sorted and indexed on the tree.

Merkle’s Tree Scheme h(1,4) h(1,2) h(3,4) h(1,1) h(2,2) h(3,3) h(4,4) Construct Merkle hash tree by computing hashes recursively h is hash function Ci is certificate i Root hash (h(1,4) in example) is published and is known to all Root hash is signed by the certificate authority to ensure the value’s integrity h(1,4) h(1,2) h(3,4) h(1,1) h(2,2) h(3,3) h(4,4) C1 C2 C3 C4

Validation h(1,4) h(1,2) h(3,4) h(1,1) h(2,2) h(3,3) h(4,4) To validate C1: Compute h(1, 1) Obtain h(2, 2) Compute h(1, 2) Obtain h(3, 4) Compute h(1,4) Compare to known h(1, 4) Need to know siblings of nodes on path from C1 to the root The proof from CA consists of these hashes (in rectangles on the left) h(1,4) h(1,2) h(3,4) h(1,1) h(2,2) h(3,3) h(4,4) C1 C2 C3 C4

References Wenliang Du, et al. Uncheatable grid computing. ICDCS, pages 4-11, 2004. Michael Szydlo. Merkle Tree Traversal in Log Space & Time. Eurocrypt 2004. R. Merkle. A digital signature based on a conventional encryption function. In CRYPTO’87, pages 369-378, 1988. R. Merkle. A certified digital signature. In CRYPTO’89, pages 218-239, 1990. Slides credits: Michael Szydlo Matt Bishop

Exercise at home Design a scheme for password-protected access by a user to a server. The scheme should satisfy the following requirements: A new password should be used each day. The communication cost for the initial setup and for subsequently changing passwords should be low. The storage space at the server and the user's machine should be low. A communication failure (possibly caused by an adversary) between the user and server should not prevent the new password from being used the next day. Generating random passwords and giving them to the user at the beginning of each year would not be a valid solution because of the high storage requirement for both parties. Having the user send to the server the next password during the current session is not an acceptable solution either, because a communication failure could prevent the server from learning the correct password for the next day.

Some more problems to think about at home 1. In digital signature schemes such as RSA, why does the signer sign on the hash of a message? 2. What is SYN flood attack? Describe how it can be prevented using SYN cookie. 3. What is TPM_Extend operation? Why it can detect a substitution of kernel module? What specific cryptographic assumption is TPM_Extend’s security based on? Attestation is for a remote server to verify the integrity of a client. Describe the major steps of TPM-based attestation in a client-server architecture. Merkle tree is an efficient way for a data owner to prove item authenticity to a requester. An alternative is a sign-all approach – data owner signs each item. Compare complexities of the two solutions.