Presentation is loading. Please wait.

Presentation is loading. Please wait.

Protocol Analysis.

Published byMilo Pope Modified over 6 years ago

Similar presentations

Presentation on theme: "Protocol Analysis."— Presentation transcript:

1 Protocol Analysis

2 Cryptographic Protocols
Two or more parties Communication over insecure network Cryptography used to achieve goal Exchange secret keys Verify identity (authentication) Secure transaction processing CSCE Farkas 2

3 Emerging Properties of Protocols
Greater interoperation Negotiation of policy Greater complexity Group-oriented protocols Emerging security threats CSCE Farkas 3

4 Protocols Good protocol characteristics: Established in advance
Mutually subscribed Unambiguous Complete CSCE Farkas 4

5 Symmetric-Key Distribution: Symmetric-Key Techniques
(repeat from lecture on 05/13/2014) Symmetric-Key without Server Symmetric-Key with Server CSCE Farkas 5

6 Symmetric-Key Distribution without Server
Change encryption key E(Knew,K), where Knew is the session key, K is the master key New key Ciphertext C New key Encryption Decryption Sender Recipient K CSCE Farkas

7 Symmetric-Key Distribution with Server
Knows KO and KR Server Originator (O,R,IO) E([(IO,R,KOR,E((KOR,O), KR)], KO) E((KOR,O), KR) Recipient Decrypts with KR Knows KOR Decrypts with KO Knows KOR Does not know E((KOR,O), KR) CSCE Farkas CSCE Farkas

8 Symmetric-Key Distribution: Public-Key Techniques
Simple secret key distribution – insecure Secret key distribution with confidentiality and authentication Diffie-Hellman Key Exchange CSCE Farkas 8

9 Simple secret key distribution
Public key of S KE-S ||ID-S 2. E KE-S(Ksession) Sender Recipient Secret Session key Vulnerable to active attack! HOW? CSCE Farkas 9

10 With confidentiality and authentication
Assume: KE-R and KE-S are known in advance Nonce E KE-R[N1||ID-S] 2. E KE-S[N1||N2] 3. E KE-R[N2] 4. E KE-R E KD-S(Ksession) Sender Recipient Question: Why do we need reliable distribution of public keys? CSCE Farkas 10

11 Diffie-Hellman Key Exchange
Proposed in 1976 First public key algorithm Allows group of users to agree on secret key over insecure channel Cannot be used to encrypt and decrypt messages CSCE Farkas 11

12 Diffie-Hellman Key Exchange
Protocol for A and B want to agree on shared secret key: A and B agree on two large numbers n and g, such that 1<g<n A chooses random x and computes X=gx mod n and sends X to B B chooses random y and computes Y=gy mod n and sends Y to A A computes Yx mod n = gyx mod n B computer Xy mod n = gyx mod n Secret key: gyx mod n CSCE Farkas 12

13 Diffie-Hellman Key Exchange
Requires no prior communication between A and B Security depends on difficulty of computing x given X=gx mod n Choices for g and n are critical: both n and (n-1)/2 should be prime, n should be large Susceptible to intruder in the middle attack (active intruder) CSCE Farkas 13

14 Intruder in the Middle Attack
Eve Bob Alice Hi Alice, I’m Bob. Hi Alice, I’m Bob. Hi Bob, I’m Alice. Hi Bob, I’m Alice. Intruder and Bob Uses Diffie-Hellman To agree on key K. Intruder and Alice Uses Diffie-Hellman To agree on key K’. Question: the attacker may want to have K and K’ be the same, Why? CSCE Farkas 14

15 Public-Key Distribution
Without server Broadcasting - insecure Publicly available directory With trusted server Public key distribution center Certificates CSCE Farkas 15

16 Public announcement KE-J.S. KE-J.S. KE-J.S. KE-J.S. John Smith KE-J.S.
Question: What are the vulnerabilities of this approach? CSCE Farkas 16

17 Publicly available directory
Better but not good enough  Directory could Be compromised Public Key Directory KE-J.S. KE-M.R.. John Smith Mary Rose CSCE Farkas 17

18 Public-key authority Public-Key Authority Sender Recipient
Question1: What should the Authority, the Sender and the Recipient know before communication? Public-Key Authority 1. Request || Time1 4. Request || Time2 2. EKD-Auth[KE-R||Request||Time1] 5. EKD-Auth[KE-S||Request||Time2] 3. EKE-R(ID-S||N1) Sender 6. EKE-S(N1||N2) Recipient 7. EKE-R(N2) Exercise: After each message, show what the recipient of the message can do and what the Recipient know. CSCE Farkas 18

19 Public-key certificates
Authority KE-R KE-S C-S=EKD-CAuth[Time1,ID-S,KE-S] CR=EKD-CAuth[Time2,ID-R,KE-R] 1. C-S Sender 2. C-R Recipient CSCE Farkas 19

20 Certificates Guarantees the validity of the information
Establishing trust Public key and user identity are bound together, then signed by someone trusted Need: digital signature CSCE Farkas 20

21 Digital Signature Need the same effect as a real signature
Un-forgeable Authentic Non-alterable Not reusable CSCE Farkas 21

22 Digital signature Direct digital signature: public-key cryptography based Arbitrated digital signature: Conventional encryption: Arbiter sees message Arbiter does not see message Public-key based CSCE Farkas 22

23 Digital Signatures in RSA
Insecure channel Sign Verify Plaintext Plaintext Signed plaintext Decryption Alg. Encryption Alg. Recipient Sender S’s private key S’s public key (need reliable channel) CSCE Farkas 23

24 Lecture 8-9 CSCE 522 - Farkas Secret key (fast) Public key (slow) Hash
Secret key (fast) Public key (slow) Hash Confidentiality Integrity Availability Authentication (peers only) (third party) Non-repudiation Lecture 8-9 CSCE Farkas

25 Lecture 8-9 CSCE 522 - Farkas Secret key Public key Nonce Time stamp
Secret key Public key Nonce Time stamp Passive Eavesdropping Traffic monitoring Active Disruption Modification Fabrication Replay Traffic collection Lecture 8-9 CSCE Farkas

26 Protocol Analysis Exercise 1.
Assume that Jane and Paul want to efficiently send very large files to each other. They also want to provide integrity verification, third- party message authentication (i.e., a third party can verify who the originator of the message is), and limit the scope of a compromise (i.e., providing forward secrecy). You can assume that Jane and Paul have public and secret key encryption capabilities, can generate a hash function, and they have a shared secret key K0 established before the communication. They do not have access to a mutually trusted server, and no other keys but K0 are known at the beginning of the communication. Propose a security protocol to establish necessary keys and show how Jane can send a file to Paul. Lecture 8-9 CSCE Farkas

27 Exercise 2. Message authentication and key agreement Alice wants to establish a secure communication with Bob. They agree to user the Yahalom protocol for mutual authentication and key agreement. The protocol uses symmetric key encryption only. Alice has a secret key shared with a trusted third party Server, KA and, similarly, Bob has a secret-key shared with Server, KB. NA and NB are nonces generated by Alice and Bob, respectively. E(M, K) indicates encryption of message M with key K, “||” means concatenation of messages. Explain after each protocol step what the recipient of the message knows based on the message and the properties of the encryption and what he/she is capable of doing. For example, Lecture 8-9 CSCE Farkas

28 Exercise 2. Message1: Alice  Server: IDA || E(“request for session key to Bob”, KA) Server: The server sees that that claimed sender of the message is Alice. The server can decrypt the message using KA that is shared between Alice and the Server. The message must have been sent by Alice because KA is only known by Alice and the server. The server knows that Alice is requesting a session key to be used by Alice and Bob. The server can generate a session key KS to be used by Alice and Bob and send the key to … Lecture 8-9 CSCE Farkas

29 Exercise 2. Message1: Alice  Bob: IDA || NA Bob knows/can do Message2: Bob  Server: IDB || E[(IDB || NA || NB), KB] Server knows/can do Message3: Server  Alice: E[(IDB || KS || NA || NB), KA] || E[(IDA || KS), KB] Alice knows/can do Message4: Alice  Bob: E[(IDA || KS), KB] || E(NB, KS)] Lecture 8-9 CSCE Farkas

30 Exercise 3. Secure communication Consider the following protocol. Ann wants to send a message M securely to Bob but there is no shared secret key between Ann and Bob, Ann does not even know Bob’s public key. However, using the properties of RSA (in particular the commutative property), Ann proposes the following protocol, where E(M, K) indicates encryption/decryption of message M with key K, “||” means concatenation of messages, KpubA means the public key of A, KprivA means private key of A. Lecture 8-9 CSCE Farkas

31 Exercise 3. Message1: Ann  Bob: IDA || E(M, KpubA) Message 2: Bob  Ann: IDB || E[(E(M, KpubA)), KpubB) Message3: Ann  Bob: IDA || E(M, KpubB) Show a man-in-the-middle attack against the above protocol. Lecture 8-9 CSCE Farkas

32 Next class Review for Test 1 Lecture 8-9 CSCE Farkas 32

Download ppt "Protocol Analysis."

Similar presentations

The Diffie-Hellman Algorithm

The Diffie-Hellman Algorithm
1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.

1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
Information Security & Cryptographic Principles. Infosec and Cryptography Subjects / Topics : 1. Introduction to computer cryptography 1. Introduction.

Information Security & Cryptographic Principles. Infosec and Cryptography Subjects / Topics : 1. Introduction to computer cryptography 1. Introduction.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.

Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.
Network Security – Part 2 V.T. Raja, Ph.D., Oregon State University.

Network Security – Part 2 V.T. Raja, Ph.D., Oregon State University.
Public Key Cryptography RSA Diffie Hellman Key Management Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College,

Public Key Cryptography RSA Diffie Hellman Key Management Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College,
Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.

Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Computer Science Public Key Management Lecture 5.

Computer Science Public Key Management Lecture 5.
Page 1 Secure Communication Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.

Page 1 Secure Communication Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.
Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.

Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.
IT 221: Introduction to Information Security Principles Lecture 6:Digital Signatures and Authentication Protocols For Educational Purposes Only Revised:

IT 221: Introduction to Information Security Principles Lecture 6:Digital Signatures and Authentication Protocols For Educational Purposes Only Revised:
Network Security. Security Threats 8Intercept 8Interrupt 8Modification 8Fabrication.

Network Security. Security Threats 8Intercept 8Interrupt 8Modification 8Fabrication.
Cryptography, Authentication and Digital Signatures

Cryptography, Authentication and Digital Signatures
4 th lecture.  Message to be encrypted: HELLO  Key: XMCKL H E L L O message 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message + 23 (X) 12 (M) 2 (C) 10 (K) 11.

4 th lecture.  Message to be encrypted: HELLO  Key: XMCKL H E L L O message 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message + 23 (X) 12 (M) 2 (C) 10 (K) 11.
BASIC CRYPTOGRAPHIC CONCEPTS. Public Key Cryptography  Uses two keys for every simplex logical communication link.  Public key  Private key  The use.

BASIC CRYPTOGRAPHIC CONCEPTS. Public Key Cryptography  Uses two keys for every simplex logical communication link.  Public key  Private key  The use.

Similar presentations

Ads by Google