Presentation is loading. Please wait.

Presentation is loading. Please wait.

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

Published byThomas Sark Modified over 10 years ago

Similar presentations

Presentation on theme: "Last Class: The Problem BobAlice Eve Private Message Eavesdropping."— Presentation transcript:

1 Last Class: The Problem BobAlice Eve Private Message Eavesdropping

2 Last Class: The Solution BobAlice Eve Scrambled Message Eavesdropping EncryptionDecryption Private Message

3 Other Security Problems –Are you who you say you are? Authentication –How does Bob know that he’s really talking to Alice? –How does Alice know the message was sent by Bob? Mutual authentication –How does Alice know that the message she receives hasn’t been tampered with? Message Integrity –Are you authorized to do what you want to do? Authorization

4 Secure Channels

5 Given credit where it is due Most slides are from Prof. Kenneth Chiu at SUNY Binghamton Some slides are from Scott Shenker and Ion Stoica at University of California, Berkeley and Ariel J. Frank at Bar-Ilan University I have modified and added some slides

6 Authentication Can you have authentication without message integrity? –I know that Bob sent the message, but someone may have tampered with it. –I know that no one tampered with it, but I don’t know whether or not it was really Bob who sent it. –Authentication & message integrity cannot do without each other ! Set-up phase precedes message exchange Session keys to ensure message integrity

7 Notation for Cryptography NotationDescription K A, B Secret key shared by A and B Public key of A Private key of A

8 Shared Secret Key Authentication Suppose Alice and Bob share a secret key (K A, B ). How can they setup a secure channel over an insecure medium?

9 1.Alice sends her identity to Bob. 2.Bob sends a challenge (random number). 3.Alice must encrypt and return. 4.Alice then sends a challenge to Bob. 5.Bob must encrypt and return.

10 An Optimization Authentication based on a shared secret key, but using three instead of five messages.

11 Attack Attempt Chuck tries to pretend to be Alice. He sends the initial message to Bob. Bob responds with the encrypted challenge, but then his own challenge. Chuck cannot properly respond to the challenge because he doesn’t have the key. Chuck…er…Alice ?

12 Reflection Attack Lesson: never encrypt anything without knowing who you are encrypting it for.

13 Key Distribution Centers If there are N parties using shared secret keys, how many keys are needed? Alternative is to use a trusted KDC. It has a shared key with every host.

14 Key Distribution Centers Disadvantage is that Bob has to get into the loop first.

15 Tickets Using a ticket and letting Alice set up a connection to Bob. Vulnerable to replay attacks if Chuck gets hold on K B,KDC old

16 16 Authentication using KDC (Needham-Schroeder Protocol)  Relate messages 1 and 2: use challenge response mechanism  R A1, R A2, R B : nonces -Nonce: random number used only once to relate two messages Alice Bob R A1,A,B 1 KDC 2 K A,KDC (R A1,B,K A,B, K B,KDC (A,K A,B )) 3 K A,B (R A2 ), K B,KDC (A, K A,B ) 4 K A,B (R A2 -1, R B ) 5 K A,B (R B -1)

17 17 What if R A1 is Missing?  Assume Chuck intercepted -K A,KDC (B,K A,B, K B,KDC old (A,K A,B )) -Knows K B,KDC old Bob (K B,KDC ) A,B 1 KDC Alice 3 K A,B (R A2 ), K B,KDC old (A, K A,B ) 4 K A,B (R A2 -1, R B ) 5 K A,B (R B -1) Chuck (K B,KDC old ) 2 K A,KDC (B,K A,B, K B,KDC old (A,K A,B )) (replayed message) Here Chuck gets K A,B !

18 18 Authentication using KDC (Needham-Schroeder Protocol)  Why do we need to include B in message 2? Alice Bob R A1,A,B 1 KDC 2 K A,KDC (R A1,B,K A,B, K B,KDC (A,K A,B )) 3 K A,B (R A2 ), K B,KDC (A, K A,B ) 4 K A,B (R A2 -1, R B ) 5 K A,B (R B -1)

19 19 What if B is Missing from Message 2?  Assume Chuck intercepts message 1 Alice Bob (K B,KDC ) R A1,A,B 1 KDC 2 K A,KDC (R A1,K A,C, K C,KDC (A,K A,C )) 3 K A,C (R A2 ), K C,KDC (A, K A,C ) 4 K A,C (R A2 -1, R B ) 5 K A,C (R B -1) Chuck R A1,A,C Here Chuck gets K A,C !

20 20 Authentication using KDC (Needham-Schroeder Protocol) Alice Bob R A1,A,B 1 KDC 2 K A,KDC (R A1,B,K A,B, K B,KDC (A,K A,B )) 3 K A,B (R A2 ), K B,KDC (A, K A,B ) 4 K A,B (R A2 -1, R B ) 5 K A,B (R B -1)  Vulnerable to replay attacks if Chuck gets hold on K A,B

21 21 What if Chuck gets K A,B ?  Assume Chuck intercepted -K A,B (R A2 ), K B,KDC,(A,K A,B ) -Knows K A,B Alice Bob R A1,A,B 1 KDC 2 K A,KDC (R A1,B,K A,B, K B,KDC (A,K A,B )) 3 K A,B (R A2 ), K B,KDC (A, K A,B ) 4 K A,B (R A2 -1, R B ) 5 K A,B (R B -1) (replayed message) Chuck (K A,B )

22 22 Defend Against leaking of K A,B  Message 5 (former 3) contains an encrypted nonce (K B,KDC (R B1 )) provided by Bob.  Chuck can no longer simply replay message 5 (former 3) to fool Bob, cause message 5 is now related to message 2 by including nonce R B1. Alice Bob R A1,A,B, K B,KDC (R B1 ) 3 KDC 4 K A,KDC (R A1,B,K A,B, K B,KDC (A,K A,B,R B1 )) 5 K A,B (R A2 ), K B,KDC (A, K A,B,R B1 ) 6 K A,B (R A2 -1, R B2 ) 7 K A,B (R B2 -1) A 1 2 K B,KDC (R B1 )

23 23 Authentication Using Public-Key Cryptography  K A +, K B + : public keys Alice Bob K B + (A, R A ) 1 2 K A + (R A, R B,K A,B ) 3 K A,B (R B ) ?

24 More on Secure Channels In addition to authentication, a secure channel also requires that messages are confidential, and that they maintain their integrity.

25 More on Secure Channels For example: Alice needs to be sure that Bob cannot change a received message and claim it came from her. And Bob needs to be sure that he can prove the message was sent by/from Alice, just in case she decides to deny ever having sent it in the first place. Solution: Digital Signing. ?

26 Digital Signatures Digital signing a message using public-key cryptography. This is implemented in the RSA technology. Note: the entire document is encrypted/signed - this can sometimes be a costly overkill.

27 Message Digest (MD) Can provide data integrity and non- repudiation –Used to verify the authentication of a message Idea: compute a hash on the message and send it along with the message Receiver can apply the same hash function on the message and see whether the result coincides with the received hash

28 Message Digest Operation Transformation contains complex operations (see textbook) 512 bits Message (padded) Initial digest (constant) Transformation... Message digest

29 Digital Signature In practice someone cannot alter the message without modifying the digest –Digest operation very hard to invert Encrypt digest with sender’s private key K A -, K A + : private and public keys of A

30 30 Secure Replicated Servers  A client issues a request to a group of replicated servers  Servers can be subject to Byzantine failures  How does the client gets the correct answer?

31 31 Strawman Solution  Client gets replies from all servers…  … and take majority voting  Problem: client needs to authenticate each server

32 32 Solution: Secret Sharing  Secret sharing: none of processes know the entire secret  Intuition: -Assume we want to tolerate c failures (some of them can by Byzantine failures) -Need to combine responses such that c+1 correct servers are sufficient to get the correct response

33 33 (k,n)-threshold Signature Scheme  One public key K +  n shares of corresponding private keys, K i -, 1 <= i <= n  Encrypted value v with each of private key shares, i.e., v i =K i - (v)  A client can decrypt value v using K + only if it knows at least k values of v i

34 34 Example  Assume 5 replicated servers that tolerate 2 corrupted servers, i.e., we need to adopt a (k,n)-threshold signature scheme where k=3 & n=5

Download ppt "Last Class: The Problem BobAlice Eve Private Message Eavesdropping."

Similar presentations

Chapter 10 Real world security protocols

Chapter 10 Real world security protocols
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Handshake Protocols COEN 350. Simple Protocol Alice: Hi, I am Alice. My password is “fiddlesticks”. Bob: Welcome, Alice.

Handshake Protocols COEN 350. Simple Protocol Alice: Hi, I am Alice. My password is “fiddlesticks”. Bob: Welcome, Alice.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
1 Security in Wireless Protocols Bluetooth, 802.11, ZigBee.

1 Security in Wireless Protocols Bluetooth, , ZigBee.
Netprog: Cryptgraphy1 Cryptography Reference: Network Security PRIVATE Communication in a PUBLIC World. by Kaufman, Perlman & Speciner.

Netprog: Cryptgraphy1 Cryptography Reference: Network Security PRIVATE Communication in a PUBLIC World. by Kaufman, Perlman & Speciner.
Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.

Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.
1 Authentication Applications Digital Signatures Security Concerns X.509 Authentication Service Kerberos Based on slides by Dr. Lawrie Brown of the Australian.

1 Authentication Applications Digital Signatures Security Concerns X.509 Authentication Service Kerberos Based on slides by Dr. Lawrie Brown of the Australian.
 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.

 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.

8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.

Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
More on AuthenticationCS-4513 D-term 20081 More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.

More on AuthenticationCS-4513 D-term More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.
EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
Slide 1 Vitaly Shmatikov CS 378 Key Establishment Pitfalls.

Slide 1 Vitaly Shmatikov CS 378 Key Establishment Pitfalls.
Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.

Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.
Network Security – Part 2 V.T. Raja, Ph.D., Oregon State University.

Network Security – Part 2 V.T. Raja, Ph.D., Oregon State University.
1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.

1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.

Similar presentations

Ads by Google