Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Introduction Class 11 18 February 2003. Overview  Security Properties  Security Primitives  Sample Protocols.

Published byNathaniel Parrish Modified over 9 years ago

Similar presentations

Presentation on theme: "Security Introduction Class 11 18 February 2003. Overview  Security Properties  Security Primitives  Sample Protocols."— Presentation transcript:

1 Security Introduction Class 11 18 February 2003

2 Overview  Security Properties  Security Primitives  Sample Protocols

3 Introducing Protocol Participants  Alice (usually the protocol initiator)  Bob, Alice’s friend  Eve the eavesdropper  Mallory the malicious adversary  Trent the trusted server

4 Security Properties  Confidentiality (secrecy) Eve cannot get any information Semantic security – Even if Eve knows plaintext/ciphertext pairs, she cannot learn any new information  Integrity Prevent modification  Authentication Prevent impersonation Bob knows that Alice sent message

5 Security Properties (cont)  Non-repudiation Alice cannot deny having created message  Freshness Bob knows that Alice’s message is recent Replay protection – Mallory cannot replay Alice’s messages

6 Security Primitives  Asymmetric (public-private key) Diffie-Hellman key agreement Public-key encryption Digital signature  Symmetric (shared-key, same-key) Block cipher (pseudo-random permutation PRP) Stream cipher (pseudo-random generators PRG) Message authentication code (MAC)  Others (unkeyed symmetric) One-way function Cryptographic hash function

7 Asymmetric Primitives  Diffie-Hellman key agreement Public values: large prime p, generator g Alice has secret value a, Bob has secret b A  B: g a (mod p) B  A: g b Bob computes (g a ) b = g ab Alice computes (g b ) a = g ab Eve cannot compute g ab

8 Asymmetric Primitives II  Problem: man-in-the-middle attack  Mallory can impersonate Alice to Bob, Bob to Alice A  M: g a (mod p) M  A: g m M  B: g m B  M: g b Bob computes (g m ) b = g bm Alice computes (g m ) a = g am

9 Asymmetric Primitives III  Public-key encryption  El-Gamal encryption Public values: large prime p, generator g Alice has public key g a (mod p), private key a Bob wants to send message M to Alice Bob picks random x, computes (g a ) x = g ax B  A: g x, Mg ax

10 Asymmetric Primitives IV  Digital Signatures  RSA signature Alice has large secret primes p, q Pick e, compute d s.t. ed = 1 mod  (pq) Public key N=pq, e Private key p, q, d Signature generation of message M  = H(M) d mod N Signature verification:  e = H(M) ed = H(M) 1 + K  (pq) = H(M) (mod N)

11 Symmetric Primitives  Block cipher is a pseudo-random permutation (PRP), each key defines a one-to-one mapping  Encryption: E K (plaintext) = ciphertext  Decryption: D K (ciphertext) = plaintext  We write {plaintext} K for E K (plaintext)  Encrypt each block separately  Examples: DES, Rijndael

12 Symmetric Primitives II  Stream ciphers use pseudo-random generators (PRG)  PRG Input: seed Output: pseudo-random stream  Encryption: use shared key k and initialization vector IV for the seed ciphertext = plaintext  PRG( k, IV )  Send IV, ciphertext  Examples: RC4, SEAL

13 Symmetric Primitives III  Message authentication codes (MAC)  “Cryptographic checksum”, keyed hash  Provides authentication, integrity  Send M, MAC( K, M )  Example: HMAC-MD5 HMAC-MD5(K, M ) = MD5(K  opad || MD5(K  ipad || M)) ipad = 3636..36, opad = 5C5C..5C

14 Cryptographic Hash Functions  Maps arbitrary-length input into finite length output  Properties of a secure hash function One-way: Given y = H(x), cannot find x’ s.t. H(x’) = y Weak collision resistance: Given x, cannot find x’ ≠ x s.t. H(x) = H(x’) Strong collision resistance: Cannot find x, x’ s.t. H(x) = H(x’)  Example: MD5, SHA-1

15 One-Way Hash Chains  Versatile cryptographic primitive  Construction Pick random r N and public one-way function F r i = F(r i+1 ) Secret value: r N, public value r 0  Properties Use in reverse order of construction: r 1, r 2 … r N Infeasible to derive r i from r j (j<i) Efficiently authenticate r i knowing r j (j<i): verify r j = F i-j (r i ) Robust to missing values K5K6K7K4K3 FFF K5 F

16 Comparison Sym vs Asym Crypto Symmetric crypto  72 bit key for high security (2000)  ~1,000,000 ops/s  10x speedup in HW Asymmetric crypto  1024 bit key for high security (RSA)  ~100 signatures/s ~1000 verify/s (RSA)  Marginal speedup in HW

17 Sample Protocols  Sensor network encryption protocol (SNEP)  Broadcast authentication  TESLA  PayWord  MicroMint

18 SPINS Assumptions  Communication Frequent node-base station exchanges Frequent network flooding from base Node-node interactions infrequent  Base station Sufficient memory, power Shares secret key with each node  Node Limited resources, limited trust

19 SNEP Security Goals  Secure point-to-point communication Confidentiality Secrecy Authenticity Integrity Message freshness to prevent replay  Existing protocols use expensive asymmetric crypto (e.g. SSL/TLS, IPSEC)

20 Basic Crypto Primitives  Code size constraints  code reuse  Uses block cipher encrypt function Counter mode encryption Cipher-block-chaining message authentication code (MAC) Pseudo-random generator

21 SNEP Protocol Details  A and B share Encryption keys: K AB K BA MAC keys: K' AB K' BA Counters: C A C B  To send data D, A sends to B: A  B:{D}, MAC( K' AB, [C A || {D} ] )

22 SNEP Properties  Secrecy & confidentiality Semantic security against chosen ciphertext attack Strongest security notion for encryption  Authentication  Replay protection  Code size: 1.5 Kbytes  Strong freshness protocol

23 Need to Stretch?

24 Broadcast Authentication  Broadcasts data over wireless network  Packet injection usually easy  Each receiver can verify data origin Sender Bob M Carol M DaveAlice MM

25 Authentication Needs Asymmetry Sender K Alice K Bob K Msg, MAC(K,Msg) Forged Msg, MAC(K, Forged Msg) Msg, MAC(K,Msg) MAC: Message Authentication Code (authentication tag) K = shared key

26 Digital Signatures Do Not Work  Signatures are expensive, e.g., RSA 1024: High generation cost (~10 milliseconds) High verification cost (~1 millisecond) High communication cost (128 bytes/packet)  Very expensive on low-end processors  If we aggregate signature over multiple packets, intolerant to packet loss

27 TESLA  Timed Efficient Stream Loss-tolerant Authentication  Uses only symmetric cryptography  Asymmetry via time Delayed key disclosure Requires loose time synchronization  Published in IEEE Security and Privacy 2000, NDSS 2001 [PCST]

28 Basic Authentication Mechanism t F(K) Authentic Commitment P MAC(K,P) K disclosed 1: Verify K 2: Verify MAC 3: P Authentic! F: public one-way function

29 Security Condition  Receiver knows key disclosure schedule  Security condition (for packet P): on arrival of P, receiver is certain that sender did not yet disclose K  If security condition not satisfied, drop packet

30 TESLA  Keys disclosed 2 time intervals after use  Receiver setup: Authentic K3, key disclosure schedule K5K6K7 t Time 4Time 5Time 6Time 7 K4K3 P2 K5 P1 K3  Authentication of P1: MAC(K5, P1 ) Verify MAC F FF Authenticate K5 K5 Time 3 F

31 TESLA: Robust to Packet Loss K4K5K6K7 t Time 4Time 5Time 6Time 7 K3 P5 K5 P3 K3 P2 K2 P1 K2 Verify MACs P4 K4 FF Authenticate K5

32 TESLA Summary  Low overhead Communication (~ 20 bytes) Computation (~ 1 MAC computation per packet)  Perfect robustness to packet loss  Independent of number of receivers  Delayed authentication  Extensions: TIK: Instant key disclosure Heterogeneous receivers Instant authentication (sender buffers data)

33 PayWord and MicroMint  PayWord: a credit-based scheme using one-way hash chain: w 0 w 1 w 2 w 3...  MicroMint: digital coins as k-way hash function collisions: x 1 x 2 x 3 x 4 y

34 PayWord Payment Model  Broker model to intermediate and aggregate Broker Vendor User 1. Obtain authorization or coins 2. Purchase information from vendor; pay. 3. Redeem payments Banks and Credit-card companies (Inner loop)

35 PayWord  Broker signs User’s public key (certificate)  User creates one-way hash chain to buy goods from vendor, c 0, …, c N  Each one-way chain element has value v  User signs c 0 and sends it to vendor  User can incrementally pay by revealing successive elements c i  Vendor redeems payment by cashing largest element c j, value = v*j

36 MicroMint  A digital coin should be: Hard to produce [except by Broker] Easy to verify [by anyone]  Digital signatures “work,” but are relatively expensive  MicroMint uses hash functions only (no public-key crypto)  Broker utilizes economy of scale to produce MicroMint coins cheaply (as with a regular mint)

37 Economy of Scale in MicroMint Number of balls thrown Probability of finding collision

38 Minting MicroMint Coins  Pick a one-way hash function F, mapping inputs to n-bit outputs  A valid coin is a k-way collision  Find v 1, …, v k, s.t. F(v 1 ) = … = F(v k )  Verification is very efficient  Producing first 2-way collision requires time 2 n/2 (birthday paradox)  Producing first k-way collision requires time N k = 2 n(k-1)/k  Time cN k yields c k coins; once threshold of N k is passed, coins are produced rapidly

Download ppt "Security Introduction Class 11 18 February 2003. Overview  Security Properties  Security Primitives  Sample Protocols."

Similar presentations

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Copyright 1996 RSA Data Security, Inc. All rights reserved.Revised 1/1/96 PayWord and MicroMint: Two Simple MicroPayment Schemes Ronald L. Rivest (MIT)

Copyright 1996 RSA Data Security, Inc. All rights reserved.Revised 1/1/96 PayWord and MicroMint: Two Simple MicroPayment Schemes Ronald L. Rivest (MIT)
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown and edited by Archana Chidanandan Cryptographic Tools.

First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown and edited by Archana Chidanandan Cryptographic Tools.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
Security Issues In Sensor Networks By Priya Palanivelu.

Security Issues In Sensor Networks By Priya Palanivelu.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Cryptography (continued). Enabling Alice and Bob to Communicate Securely m m m Alice Eve Bob m.

Cryptography (continued). Enabling Alice and Bob to Communicate Securely m m m Alice Eve Bob m.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.
Key Distribution in Sensor Networks (work in progress report) Adrian Perrig UC Berkeley.

Key Distribution in Sensor Networks (work in progress report) Adrian Perrig UC Berkeley.
Csci5233 Computer Security & Integrity 1 Cryptography: Basics (2)

Csci5233 Computer Security & Integrity 1 Cryptography: Basics (2)
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
SPINS: Security Protocols for Sensor Networks Adrian Perrig, Robert Szewczyk, Victor Wen, David Culler, J.D. Tygar Research Topics in Security in the context.

SPINS: Security Protocols for Sensor Networks Adrian Perrig, Robert Szewczyk, Victor Wen, David Culler, J.D. Tygar Research Topics in Security in the context.
Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Similar presentations

Ads by Google