Download presentation
Presentation is loading. Please wait.
Published byJasmine Bradley Modified over 9 years ago
1
Chapter 9 Cryptographic Protocol Cryptography-Principles and Practice Harbin Institute of Technology School of Computer Science and Technology Zhijun Li http://cst.hit.edu.cn/~lizhijun lizhijun_os@hit.edu.cn
2
Zhijun LiS1034040/Autumn08/HIT2 Outline Structure of Cryptographic Protocol Cryptographic Protocols –Key Establishment Protocols –Authentication Protocols Zero Knowledge Protocol
3
Zhijun LiS1034040/Autumn08/HIT3 Protocol Review Protocol: –Rules that detail the interaction between parties in a communication Note: –A series of steps –At least two Parties (normally 2 or 3 parties) –In Communication Cryptographic protocol: –Using cryptography for security
4
Zhijun LiS1034040/Autumn08/HIT4 Requirements of Protocol Every parties know the steps to complete the protocol primarily Every parties must follow the protocol Each step must be defined explicitly and can not be misunderstood The protocol must be complete, and define the actions for every possible cases
5
Zhijun LiS1034040/Autumn08/HIT5 Arbitration Protocol Note: –The protocol can work only with arbitrator –Arbitrator is always trusted (condition) –Example: Alice car Lawyer; Bob money Lawyer; Lawyer money Alice; Lawyer car Bob; Alice Bob Trent Arbitrator
6
Zhijun LiS1034040/Autumn08/HIT6 Verdict Protocol Note: –The protocol work without judge –Verdict is introduced if disputation arisen –Example: Alice, Bob self Lawyer; Bob evidence Lawyer; Alice evidence Lawyer; Judge decide Alice Bob Trent Judge Evidence
7
Zhijun LiS1034040/Autumn08/HIT7 Self-enforcing Protocol Note: –The protocol work only with Alice and Bob –Security is assured by protocol design –Example: Alice A Bob; Bob B Alice; Alice compute; Bob compute; Alice AB Bob; Bob BA Alice; Alice Bob
8
Zhijun LiS1034040/Autumn08/HIT8 Attack to the Protocol Passive attack –Can eavesdrop the information in communication –Can eavesdrop the information in computer Active attack –Can modify the information in communication –Can modify the information in computer –Can personate the parties –Some parties may not abide the protocol
9
Zhijun LiS1034040/Autumn08/HIT9 Outline Structure of Cryptographic Protocol Cryptographic Protocols –Key Establishment Protocols –Authentication Protocols Zero Knowledge Protocol
10
Zhijun LiS1034040/Autumn08/HIT10 Key Establishment Protocols Key distribution protocols –Distributed by a trusted authority (TA) –Example: Needham-Schroeder protocol Key agreement protocols –Key can be established without TA –Example: Diffie-Hellman key agreement protocol
11
Zhijun LiS1034040/Autumn08/HIT11 Needham-Schroeder Protocol Alice Trent: A, B, R A –A is Alice’s name, B is the name of Bob, R A is a random number Trent Alice: E A (R A, B, K, E B (K, A)) –K is the session key –E A and E B is the encryption using A’s key and B’s key Alice Bob: E B (K, A) –After decrypt above message Bob Alice : E K (R B ) –R B is a random number Alice Bob: E B (R B -1) Bob verify the R B -1
12
Zhijun LiS1034040/Autumn08/HIT12 Needham-Schroeder Remark R A,R B, and R B -1 can prevent replay attack BUT Mallory can store old K –Mallory Bob: E B (K, A) –Bob “Alice”(Mallory) : E K (R B ) R B is a random number –Mallory Bob: E B (R B -1) –Bob verify the R B -1 –Mallory can impersonate the Alice
13
Zhijun LiS1034040/Autumn08/HIT13 Otway-Rees Protocol Idea: add timestamp Alice Bob: I, A, B, E A (R A, I, A, B) –I the index number Bob Trent: I, A, B, E A (R A, I, A, B), E B (R A, I, A, B) Trent Bob: I, E A (R A, K), E B (R B, K) –After decrypt above message Bob Alice : I, E A (R A, K) –R B is a random number Alice verify the I and R B
14
Zhijun LiS1034040/Autumn08/HIT14 Diffie-Hellman key Agreement Exchanging secret key over public channel Key Exchange protocol –Select public parameters p, and n p is prime and is of order n in Z p * –Alice selects random b privately and Alice Bob [ b mod p] –Bob selects random c privately and Bob Alice [ c mod p] –Alice and Bob compute bc mod p (shared secret key) Bob, Alice’s key is bc
15
Zhijun LiS1034040/Autumn08/HIT15 Example of DH Exchange Global known P=2147483659 and =2 Alice choose b=12345 and send Bob [B= b mod p=428647416] Bob choose c=654323 and send Alice [C= c mod p=450904856] Alice compute the secret key as C b mod p=1333327162 Bob compute the secret key as B c mod p=1333327162 So the secret key between Alice and Bob is 1333327162
16
Zhijun LiS1034040/Autumn08/HIT16 Security of DH Security of the Diffie-Hellman key exchange protocol based on the CDH problem Computational Diffie-Hellman (CDH) –Given group (G, *), an element g with order q, given g x and g y, find g xy DLP is at least as hard as CDH Solves CDH can be used to decrypt ElGamal
17
Zhijun LiS1034040/Autumn08/HIT17 CDH and ElGamal Any algorithm that solves CDH can be used to decrypt ElGamal ciphertexts Intuition: –Decrypt (c 1 =g k,c 2 = m k ) is equivalent to compute k –Knows c 1 =g k, =g a, and needs to compute g ka Proof: –Assume that algorithm OracleCHD solves CDH –Let (c 1, c 2 ) be an ElGamal ciphertext –Let = g a, c 2 = g k mod p, c 2 = m(g a ) k mod p –y = OracleCDH(g, , c 1 ) –m = c 2 y -1
18
Zhijun LiS1034040/Autumn08/HIT18 Man-in-the-middle Attack There is a Man in the middle attack Need to be careful who you are agreeing a key with Alice Bob Eve a gaga gmgm m n gngn gbgb b g am g bn
19
Zhijun LiS1034040/Autumn08/HIT19 Diffie-Hellman is NOT Enough How does Alice know who she is agreeing a key with, is it Bob or Eve? Using signature: –Alice signs her message to Bob –Bob signs his message to Alice –In that way both parties know who they are talking to
20
Zhijun LiS1034040/Autumn08/HIT20 For Public Key Establishment Above is private key establishment For public key establishment: –Intuition: the distribution of public is secure –But: there is man-in-the-middle attack Alice Bob Mallory K PA K PM K PB K PM KDC
21
Zhijun LiS1034040/Autumn08/HIT21 Interlock Protocol Alice Bob: K PA Bob Alice: K PB Alice Bob: Half 1 (E K PB (M)) –After decrypt above message Bob Alice : Half 1 (E K PA (M)) Alice Bob: Half 2 (E K PB (M)) Bob combine the Half 1 and Half 2 and decrypt Bob Alice : Half 2 (E K PA (M)) Alice combine the Half 1 and Half 2 and decrypt
22
Zhijun LiS1034040/Autumn08/HIT22 Outline Structure of Cryptographic Protocol Cryptographic Protocols –Key Establishment Protocols –Authentication Protocols Zero Knowledge Protocol
23
Zhijun LiS1034040/Autumn08/HIT23 Authentication Protocol Goal: two parties authenticate each other Example: –Alice want to login into a computer Hashing + salt SKEY –Alice and Bob want to authenticate each other SKID (MAC) Protocol DASS Protocol
24
Zhijun LiS1034040/Autumn08/HIT24 SKEY Computer compute f(R), f(f(R)), … 100 times In computer’s database: Alice+x 101 Alice store x 1, x 2, x 3, …, x 100 1 th login: –Alice input her name and x 100 –Computer compute f(x 100 ) –Computer replace the x 101 by x 100 in database –Alice delete x 100 from her list 2 th login: –Alice input the last x i in her list
25
Zhijun LiS1034040/Autumn08/HIT25 SKID Alice Bob: R A –R A is Random number Bob Alice: R B, H K (R A, R B, B) –H K is the MAC Alice compute H K (R A, R B, B) and check –At this step, Alice can authenticate Bob Alice Bob: H K (R B, A) Bob compute H K (R B, A) and check –At this step, Bob can authenticate Alice –Also exist man-in-the-middle attack
26
Zhijun LiS1034040/Autumn08/HIT26 DASS DASS: Distributed Authentication Security Service Alice Trent: B Trent Alice: K PB, Sig K ST (B, K PB ) Alice Bob: E K (T A ), E K PB (L, A, K PP ), Sig K SA (L, A, K PP ), E K PB (K), Sig K SP (E K PB (K)) –K is the session key; T A is the timestamp; L is the life of key, K PP /K SP are a pair of public/private key Bob Trent: A Trent Alice: K PA, Sig K ST (A, K PA ) Bob verifies them Bob Alice: E K (T B ) Alice check T B
27
Zhijun LiS1034040/Autumn08/HIT27 Outline Structure of Cryptographic Protocol Cryptographic Protocols –Key Establishment Protocols –Authentication Protocols Zero Knowledge Protocol
28
Zhijun LiS1034040/Autumn08/HIT28 Zero Knowledge Protocol Motivation: –When Alice authenticates to a server, she gives her password, but the server can then impersonate her –Alice can prove her is “Alice”, but she gives the computer zero knowledge –Zero-knowledge protocol: Allows a prover to prove that he posses a secret without revealing any information when verifying –Normally use challenge-response protocol
29
Zhijun LiS1034040/Autumn08/HIT29 Zero Knowledge Proof of Identity Alice’s secret key is the function of her “Identity” –Through zero-knowledge proof, she can prove that she knows her secret key –Fiat-Shamir Identity Protocol
30
Zhijun LiS1034040/Autumn08/HIT30 Fiat-Shamir Identity Protocol System parameter: n=pq Public identity: v (v is a quadratic residue mod n) Private authenticator: s sqrt(v -1 ) mod n Protocol (repeat t times): –Alice picks random r in Z n * –Alice Bob: x=r 2 mod n –Bob checks x 0 –Bob Alice: random c in {0,1} –Bob Alice: y, if c=0, y=r; if c=1, y=rs mod n –Bob accept: if c=0, x=r 2 mod n; if c=1, x y 2 v mod n Identity Know Identity
31
Zhijun LiS1034040/Autumn08/HIT31 Security Fiat-Shamir Protocol If Alice does not know s, she can cheat Bob with prob. ½ –t times: the probability is 1/2 t r can not be used twice –If used, Bob may be compute the s by s=r -1 y –Not zero-knowledge Bob can impersonate Alice with prob. ½ –t times: the probability is 1/2 t
32
Zhijun LiS1034040/Autumn08/HIT32 Parallel Fiat-Shamir Protocol System parameter: n=pq Public identity: v 1,…,v k (v i is a quadratic residue mod n) Private authenticator: s i sqrt(v i -1 ) mod n Protocol (repeat t times): –Alice picks random r in Z n * –Alice Bob: x=r 2 mod n –Bob checks x 0 –Bob Alice: a random {0,1} bit string b 0,b 1,…,b k –Bob Alice: y=r (s 1 b 1 s 2 b 2 … s k b k ) mod n –Bob accept: if x y 2 (v 1 b 1 v 2 b 2 … v k b k ) mod n
33
Zhijun LiS1034040/Autumn08/HIT33 Fiat-Shamir Protocol Example N=35=5 7 –Alice Bob: x=r 2 =16 2 mod 35 =11 –Bob Alice: {0,1} string {1, 1, 0, 1} –Bob Alice: y=16 (3 1 4 1 9 0 8 1 ) mod 35 = 31 –Bob accept: if 11 31 2 (4 1 11 1 16 0 29 1 ) mod 35 vv -1 s=sqrt(v -1 ) 493 11164 119 29 8
34
Zhijun LiS1034040/Autumn08/HIT34 Summary Structure of Cryptographic Protocol –Arbitration Protocol –Verdict Protocol –Self-enforcing Protocol Cryptographic Protocols –Key Establishment Protocols –Authentication Protocols –Zero Knowledge Protocol
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.