Lecture 5.1: Message Authentication Codes, and Key Distribution

Slides:

Advertisements

Similar presentations

CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.

Advertisements

Chapter 10 Real world security protocols

MAC Raushan. DES simple fiestel network 3131 PlainText Blocks 2*4=8bits 31 f f =0011 xor 0011=0000 = 0 f(r,k)=(2*r+k^2)%8 f(1,5)=(2*1+5^2)%8=3 xor 3 3.

Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Lecture 4: Cryptography III; Security CS 336/536: Computer Network Security Fall 2013 Nitesh Saxena.

Lecture 4: Hash Functions, Message Authentication and Key Distribution CS 392/6813: Computer Security Fall 2008 Nitesh Saxena *Adopted from Previous Lectures.

15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.

Lesson Title: Introduction to Cryptography Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

Cryptography (continued). Enabling Alice and Bob to Communicate Securely m m m Alice Eve Bob m.

Csci5233 Computer Security & Integrity 1 Cryptography: Basics (2)

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)

Cryptography and Network Security Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown/Mod. & S. Kondakci.

CS526Topic 5: Hash Functions and Message Authentication 1 Computer Security CS 526 Topic 5 Cryptography: Cryptographic Hash Functions And Message Authentication.

1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Chapter 31 Network Security

31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

Pretty Good Privacy by Philip Zimmerman presented by: Chris Ward.

Acknowledgements: William Stallings.William Stallings All rights Reserved Session 4 Public Key Cryptography (Part 2) Network Security Essentials Application.

Lecture 4.2: Key Distribution CS 436/636/736 Spring 2014 Nitesh Saxena.

Lecture 3.2: Public Key Cryptography II CS 436/636/736 Spring 2014 Nitesh Saxena.

1 Chapter 11: Message Authentication and Hash Functions Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,

Lecture 5.3: Key Distribution: Public Key Setting CS 436/636/736 Spring 2012 Nitesh Saxena.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

Security: An Overview of Cryptographic Techniques /440 With slides from: Debabrata Dash, Nick Feamster, Gregory Kesden, Vyas Sekar and others.

CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.

Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2013 Nitesh Saxena.

EE515/IS523 Think Like an Adversary Lecture 4 Crypto in a Nutshell Yongdae Kim.

Message Authentication Code July Message Authentication Problem  Message Authentication is concerned with:  protecting the integrity of a message.

Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2015 Nitesh Saxena.

Basic Cryptography 1. What is cryptography? Cryptography is a mathematical method of protecting information –Cryptography is part of, but not equal to,

Chapter 31 Cryptography And Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CSCI 172/283 Fall 2010 Hash Functions, HMACs, and Digital Signatures.

IPsec IPsec (IP security) Security for transmission over IP networks –The Internet –Internal corporate IP networks –IP packets sent over public switched.

11.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 11 Message Integrity and Message Authentication.

CSCE 815 Network Security Lecture 8 SHA Operation and Kerberos.

Fall 2010/Lecture 321 CS 426 (Fall 2010) Key Distribution & Agreement.

CS426Fall 2010/Lecture 61 Computer Security CS 426 Lecture 6 Cryptography: Message Authentication Code.

A Quick Tour of Cryptographic Primitives Anupam Datta CMU Fall A: Foundations of Security and Privacy.

1 Needham-Schroeder A --> S: A,B, N A S --> A: {N A,B,K AB,{K AB,A} KBS } KAS A --> B:{K AB,A} KBS B --> A:{N B } KAB A --> B:{N B -1} KAB.

Lecture 5.2: Key Distribution: Private Key Setting CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 4.2: Hash Functions: Design* CS 436/636/736 Spring 2012 Nitesh Saxena * some slides borrowed from Gene Tsudik.

31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

Lecture 6.1: Protocols - Authentication and Key Exchange I CS 436/636/736 Spring 2012 Nitesh Saxena.

Class 3 Cryptography Refresher II CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman

Lecture 4: Cryptography III; Security CS 336/536: Computer Network Security Fall 2014 Nitesh Saxena.

Lecture 5: Protocols - Authentication and Key Exchange CS 436/636/736 Spring 2015 Nitesh Saxena.

Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2014 Nitesh Saxena.

IT 221: Introduction to Information Security Principles Lecture 5: Message Authentications, Hash Functions and Hash/Mac Algorithms For Educational Purposes.

CS555Spring 2012/Topic 151 Cryptography CS 555 Topic 15: HMAC, Combining Encryption & Authentication.

Message Authentication Codes CSCI 5857: Encoding and Encryption.

@Yuan Xue CS 285 Network Security Secure Socket Layer Yuan Xue Fall 2013.

Dr. Nermin Hamza.  Attacks:  Traffic Analysis : traffic analysis occurs when an eavesdroppers observes message traffic on network. Not understand the.

Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.

@Yuan Xue 285: Network Security CS 285 Network Security Message Authentication Code Data integrity + Source authentication.

Understanding Cryptography by Christof Paar and Jan Pelzl These slides were prepared by Christof Paar and Jan Pelzl Chapter 12.

@Yuan Xue 285: Network Security CS 285 Network Security Hash Algorithm Yuan Xue Fall 2012.

Lecture 4: Cryptography III; Security

Computer Communication & Networks

Lecture 4.2: Key Distribution

Lecture 4.1: Hash Functions: Introduction

Lecture 6.1: Protocols - Authentication and Key Exchange I

Lecture 4.1: Hash Functions, and Message Authentication Codes

Lecture 4: Hash Functions

Presentation transcript:

Lecture 5.1: Message Authentication Codes, and Key Distribution 4/26/2017 Lecture 5.1: Message Authentication Codes, and Key Distribution CS 436/636/736 Spring 2013 Nitesh Saxena

Course Administration 4/26/2017 Course Administration HW1 graded and distributed Any questions regarding the grades, please contact the TA If you haven’t picked up your graded submissions, please do so HW2 due Monday, 11am – March 04 Questions? 4/26/2017 Lecture 5.1: MACs and Key Distribution

Outline of Today’s lecture 4/26/2017 Outline of Today’s lecture Message Authentication Codes Based on block cipher designs Based on hash functions Key Distribution Introduction Protocol for private key distribution 4/26/2017 Lecture 5.1: MACs and Key Distribution

Message Authentication Codes 4/26/2017 Message Authentication Codes Provide integrity as well as authentication Send (m, MAC); MAC is created on m using the key shared between two parties Has to be deterministic to enable verification Unlike encryption schemes We want MAC to be as small and as secure as possible Can not provide non-repudiation Why not? 4/26/2017 Lecture 5.1: MACs and Key Distribution

Lecture 5.1: MACs and Key Distribution 4/26/2017 MAC – Functions KeyGen – outputs a key MAC – creates a checksum on m using key K Verify – validates whether the checksum on m is computed correctly Just create MAC and compare 4/26/2017 Lecture 5.1: MACs and Key Distribution

Security Notion for MAC 4/26/2017 Security Notion for MAC Very similar to the security notion for a digital signature scheme Existential forgery under (adaptively) chosen message attack 4/26/2017 Lecture 5.1: MACs and Key Distribution

Can encryption be used as a MAC? 4/26/2017 Can encryption be used as a MAC? No, not in general Intuitively because encryption achieves properties different from MAC See a counter-example: One-time pad as a MAC – bad idea! However, you can use 3-DES or AES as a building block for MAC 4/26/2017 Lecture 5.1: MACs and Key Distribution

MAC Based on Block Cipher in the CBC mode – CBC-MAC 4/26/2017 MAC Based on Block Cipher in the CBC mode – CBC-MAC 4/26/2017 Lecture 5.1: MACs and Key Distribution

Lecture 5.1: MACs and Key Distribution 4/26/2017 CBC-MAC Note that this is deterministic IV = [0] Unlike CBC encryption Only the last block of the output is used as a MAC This is secure under CMA attack For pre-decided fixed-length messages Intuitively because of the presence of an avalanche effect 4/26/2017 Lecture 5.1: MACs and Key Distribution

HMAC: MAC using Hash Functions 4/26/2017 HMAC: MAC using Hash Functions Developed as part of IPSEC - RFC 2104. Also used in SSL etc. Key based hash but almost as fast as non-key based hash functions. Avoids export restrictions unlike DES based MAC. Provable security Can be used with different hash functions like SHA-1,MD5, etc. 4/26/2017 Lecture 5.1: MACs and Key Distribution

Lecture 5.1: MACs and Key Distribution 4/26/2017 HMAC Block size b bits. K+ - K padded with bits on the left to make b bits. ipad – 0110110 (ox36) repeated b/8 times. opad – 1011100 (0x5c) repeated b/8 times. Essentially HHMACK = H[(K+ xor opad) || H[(K+ xor ipad) || M]] 4/26/2017 Lecture 5.1: MACs and Key Distribution

Lecture 5.1: MACs and Key Distribution 4/26/2017 Security of HMAC Security related to the collision resistance of the underlying hash function http://www.cse.ucsd.edu/~mihir/papers/hmac.html 4/26/2017 Lecture 5.1: MACs and Key Distribution

HMAC – An Efficient Implementation 4/26/2017 4/26/2017 Lecture 5.1: MACs and Key Distribution

Lecture 5.1: MACs and Key Distribution 4/26/2017 Key Distribution Cryptographic primitives seen so far assume In private key setting: Alice and Bob share a secret key which is unknown to Oscar. In public key setting: Alice has a “trusted” (or authenticated) copy of Bob’s public key. But how does this happen in the first place? Alice and Bob meet and exchange key(s) Not always practical or possible. We need key distribution, first and foremost! Idea: make use of a trusted third party (TTP) 4/26/2017 Lecture 5.1: MACs and Key Distribution

“Private Key” Distribution: An Attempt 4/26/2017 “Private Key” Distribution: An Attempt Protocol assumes that Alice and Bob share a session key KA and KB with a Key Distribution Center (KDC). Alice calls Trent (Trusted KDC) and requests a session key to communicate with Bob. Trent generates random session key K and sends E KA(K) to Alice and E KB(K) to Bob. Alice and Bob decrypt with KA and KB respectively to get K. This is a key distribution protocol. Susceptible to replay attack!

Session Key Exchange with KDC – Needham-Schroeder Protocol 4/26/2017 Session Key Exchange with KDC – Needham-Schroeder Protocol A -> KDC IDA || IDB || N1 (Hello, I am Alice, I want to talk to Bob, I need a session Key and here is a random nonce identifying this request) KDC -> A E KA( K || IDB || N1 || E KB(K || IDA)) Encrypted(Here is a key, for you to talk to Bob as per your request N1 and also an envelope to Bob containing the same key) A -> B E KB(K || IDA) (I would like to talk using key in envelope sent by KDC) B -> A E K(N2) (OK Alice, But can you prove to me that you are indeed Alice and know the key?) A -> B E K(f(N2)) (Sure I can!) Dennig-Sacco (replay) attack on the protocol NS protocol only provides one way authentication (A  B). You can provide mutual authentication (see next lecture slides for correction) Talk about Dennig-Sacco Attack on NS: Since the ticket does not contain any timestamp; Eve can replay it in next session. If the key for first session is somehow leaked to Eve  the next session will be compromised too. 4/26/2017 Lecture 5.1: MACs and Key Distribution

Lecture 5.1: MACs and Key Distribution 4/26/2017 Session Key Exchange with KDC – Needham-Schroeder Protocol (corrected version with mutual authentication) A -> KDC: IDA || IDB || N1 (Hello, I am Alice, I want to talk to Bob, I need a session Key and here is a random nonce identifying this request) KDC -> A: E KA( K || IDB || N1 || E KB(TS1, K || IDA)) Encrypted(Here is a key, for you to talk to Bob as per your request N1 and also an envelope to Bob containing the same key) A -> B: E K(TS2), E KB(TS1, K || IDA) (I would like to talk using key in envelope sent by KDC; here is an authenticator) B -> A: E K(TS2+1) (OK Alice, here is a proof that I am really Bob) 4/26/2017 Lecture 5.1: MACs and Key Distribution

Lecture 5.1: MACs and Key Distribution 4/26/2017 Some questions Can a KDC learn communication between Alice and Bob, to whom it issued keys? Can OTP make for a good MAC? Can H(K||m) make for a good MAC? Does HMAC provide non-repudiation? 4/26/2017 Lecture 5.1: MACs and Key Distribution

Lecture 5.1: MACs and Key Distribution 4/26/2017 Further Reading Stallings Chapter 12 (MAC) and 15 (Key Dist.) HAC Chapter 9 (MAC) and 12 (Key Dist) 4/26/2017 Lecture 5.1: MACs and Key Distribution