Presentation is loading. Please wait.

Presentation is loading. Please wait.

Overview of Cryptography Anupam Datta CMU Fall 2007-08 18739A: Foundations of Security and Privacy.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Overview of Cryptography Anupam Datta CMU Fall 2007-08 18739A: Foundations of Security and Privacy."— Presentation transcript:

1 Overview of Cryptography Anupam Datta CMU Fall 2007-08 18739A: Foundations of Security and Privacy

2 Cryptography  Is A tremendous tool The basis for many security mechanisms  Is not The solution to all security problems Reliable unless implemented properly Reliable unless used properly Something you should try to invent yourself unless  you spend a lot of time becoming an expert  you subject your design to outside review

3  Encryption scheme: functions to encrypt, decrypt data key generation algorithm symmetric key vs. asymmetric (public) key  Symmetric key: more efficient, generally key = key -1  Public key: publishing key does not reveal key -1  Signature scheme Functions to sign data, verify signature  Hash function, MAC Map input to short hash; ideally, no collisions MAC (keyed hash) used for message integrity Basic Cryptographic Concepts All of these primitives are used in SSL/TLS

4 Our Approach  Analyze systems and protocols that use cryptographic primitives such as SSL, assuming that the primitives are themselves secure  How is security of cryptographic primitives defined? Today’s lecture  How are primitives constructed that satisfy these definitions? 18-733: Applied Cryptography 15-859: Introduction to Theoretical Cryptography Will put up additional slides for optional reading

5 We will cover  Symbolic model Modeling “perfect” cryptography – always secure Abstraction enables mechanized analysis  Complexity-theoretic model Security definitions given by “games” Security properties guaranteed with high probability (almost always) against probabilistic polynomial time adversaries

6 Symmetric encryption  Can compute message m and key k from set S of messages implies can compute encryption {m} k from the same set S (1)S |- m  S |-k  S |- {m} k  Can compute encrypted message (cipher-text) {m} k and key k implies can recover message m (2) S |- {m} k  S |- k  S |- m Formally, messages are terms of a term algebra

7 Asymmetric encryption  Can compute message m and public key K implies can compute encryption {m} K (3) S |- m  S |-K  S |- {m} K  Can compute encrypted message (cipher-text) {m} K and inverse key K -1 implies can recover message m (4) S |- {m} K  S |- K -1  S |- m Each principal has a public-private encryption key pair

8 Digital signature  Can compute message m and signing key s -1 implies can compute signature sig(s -1, m) (5) S |- {m}  S |- s -1  S |- sig(s -1, m)  Given signature sig(s -1, m) and inverse key s, can verify signature Usually modeled using pattern matching

9 Hash function  Can compute message m implies can compute hash h(m) (6) S |- m   S |- h(m)  Given message m and key k, can compute keyed hash h(k,m) (7) S |- m  S |- k  S |- h(k,m) (7) Is a special case of (6) in the symbolic model

10 We will cover  Symbolic model Modeling “perfect” cryptography – always secure Abstraction enables mechanized analysis  Complexity-theoretic model Security definitions given by “games” Security properties guaranteed with high probability (almost always) against probabilistic polynomial time adversaries

11 Digital signatures A Sig(S -1,mi) mi Attacker wins if m ≠mi Messages are bit-strings Signature scheme Attacker is a PPT Turing Machine UF-CMA security:  PPT attackers A  negligible function f  n0  security parameters n ≥ n0 Prob [m ≠mi | A plays by the rules] <= f(n) Intuition: Signatures should be unforgeable with high probability C Sig(S -1,m)

12 Keyed Hash (MAC) A h(k,mi) mi Attacker wins if m ≠mi Messages are bit-strings Attacker is a PPT Turing Machine CMA security:  PPT attackers A  negligible function f  n0  security parameters n ≥ n0 Prob [m ≠mi | A plays by the rules] <= f(n) Intuition: MACs should be unforgeable with high probability C h(k,m)

13 Asymmetric encryption C A m {m} K m {mb} K m0, m1 d Attacker wins if d = b Messages are bit-strings Attacker is a PPT Turing Machine IND-CCA2 security:  PPT attackers A  negligible function f  n0  security parameters n ≥ n0 Prob [d = b | A plays by the rules] <= ½ + f(n) Intuition: Encryption reveals no information about message

14 Hash functions  Preimage resistant  Second preimage resistant  Collision resistant Given hash function h: X  Y Find: x, x’  X s.t x ≠ x’ and h(x) = h(x’) Should be difficult!  PPT attackers A  negligible function f  n0  security parameters n ≥ n0 Prob [A finds x, x’  X s.t x ≠ x’ and h(x) = h(x’)] <= f(n)

15 Putting it together: SSL/TLS C N1, Version1 N2, Version2, sig(CA -1, S, Ks) S Sig(CA -1, C, Kc), Sig(Kc, handshake1), {secret} Ks, h(secret, handshake1, “client”) h(secret, handshake2, “server”)

16 Questions?

Download ppt "Overview of Cryptography Anupam Datta CMU Fall 2007-08 18739A: Foundations of Security and Privacy."

Similar presentations

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Privacy in signatures. Hiding in rings, hiding in groups.

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Privacy in signatures. Hiding in rings, hiding in groups.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Cryptography and Network Security

Cryptography and Network Security
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Security Definitions in Computational Cryptography

Security Definitions in Computational Cryptography
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.

CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.

Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.
CS 395T Computational Soundness of Formal Models.

CS 395T Computational Soundness of Formal Models.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown and edited by Archana Chidanandan Cryptographic Tools.

First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown and edited by Archana Chidanandan Cryptographic Tools.
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.

Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.

1 CIS 5371 Cryptography 9. Data Integrity Techniques.
CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.

CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.

Similar presentations

Ads by Google