Presentation is loading. Please wait.

Presentation is loading. Please wait.

David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 12: Public-Key Protocols.

Published byShanon Cobb Modified over 9 years ago

Similar presentations

Presentation on theme: "David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 12: Public-Key Protocols."— Presentation transcript:

1 David Evans http://www.cs.virginia.edu/~evans CS588: Security and Privacy University of Virginia Computer Science Lecture 12: Public-Key Protocols

2 8 Oct 2001University of Virginia CS 5882 Menu Humilation-Free Matchmaking Protocol Proof Carrying Code –Plug for Amy Felty’s talk: 3:30 Today Authentication

3 8 Oct 2001University of Virginia CS 5883 Finding Problem Set Partners Simple way: –Ask people in the class if they want to work with you Problems: –You face rejection and ridicule if they say no Can you find partners without revealing your wishes unless they are reciprocated? –Identify people who want to work together, but don’t reveal anything about anyone’s desires to work with people who don’t want to work with them

4 8 Oct 2001University of Virginia CS 5884 Alice is your best match Use a Universally Trusted Third Party Alice Bob Bob would like to work with: Ron Rivest Sandra Bullock Alice Alice: Thomas Jefferson Colleen Hacker Bob MatchMaker.com

5 8 Oct 2001University of Virginia CS 5885 Use a Universally Trusted Third Party Bob E KU M [E KR B [“Bob would like …”]] MatchMaker.com E KU B [E KR M [“Alice”]]

6 8 Oct 2001University of Virginia CS 5886 HashMaker.com? Bob writes H(“I am looking for someone who wants to play with Euler’s totient function.”) on the board. No on else can tell Bob’s deepest darkest desires ( H is one-way) If someone else writes the same hash on the board, Bob has found his match How well does this work?

7 8 Oct 2001University of Virginia CS 5887 Untrusted Third Party Bob E H(W) [ W ] HashMatcher.com Use the hash of the wish as the encryption key so some symmetric cipher: HashMatcher can’t determine the wish Someone with the same exact wish will match exactly

8 8 Oct 2001University of Virginia CS 5888 Untrusted Third Party Bob E H(W) [ W ] HashMatcher.com

9 8 Oct 2001University of Virginia CS 5889 How can we send a message to HashMaker without it knowing who sent it? To: HashMaker From: Anonymous To: Router4 To: Router3 To: Router2 To: Router1 From: Bob

10 8 Oct 2001University of Virginia CS 58810 Onion Routing R5 R4 R3 R2 R1 Bob HashMatcher.com Pick n random routers, R i 1 …R i n R i k gets a message M k : E KU R ik (To: R i k+1 || M k+1 )

11 8 Oct 2001University of Virginia CS 58811 Onion Routing R5 R4 R3 R2 R1 Bob HashMatcher.com Pick 1 random router: R 2 Send R 2 : E KU R 2 (To: HashMatcher.com || M)

12 8 Oct 2001University of Virginia CS 58812 Onion Routing R5 R4 R3 R2 R1 Bob HashMatcher.com Pick 2 random routers: R 2, R 5 Send R 2 : E KU R2 [To: R5 || E KU R5 [To: HashMatcher.com || M]

13 8 Oct 2001University of Virginia CS 58813 Finding Problem Set Partners If Bob wants to work with Alice, he constructs W = “Alice + Bob” (all students agree to list names in this way in alphabetical order) Using onion rounting, sends HashMaker: E H(W) [ W ] Using onion rounting, queries HashMaker is there is a matching item –If so, Alice want to work with him

14 8 Oct 2001University of Virginia CS 58814 Problems with this Protocol Cathy could send W = “Alice + Bob” Anyone can query “ x + Bob” for all students to find out who Bob wants to work with (or who wants to work with Bob, can’t tell the difference) If Sandra B. wants to work with Bob too, how do matches reflect preferences without revealing them? Challenge Problem #2: Design a good matchmaking protocol

15 8 Oct 2001University of Virginia CS 58815 Proof-Carrying Code Amy Felty, University of Ottawa Foundational Proof-Carrying Code for Software Safety Today at 3:30 (right here)

16 8 Oct 2001University of Virginia CS 58816 Proof-Carrying Code Program Certifying Compiler Native Code Proof Code Producer Code Consumer Native CodeProof Proof Checker CPU Ok Policy

17 8 Oct 2001University of Virginia CS 58817 Tamper with Code Program Certifying Compiler Native Code Proof Code Producer Code Consumer Tampered CodeProof Proof Checker CPU Wily Hacker No! Policy

18 8 Oct 2001University of Virginia CS 58818 Tamper with Both Program Certifying Compiler Native Code Proof Code Producer Code Consumer Tampered CodeTampered Proof Proof Checker CPU No! Wily P. Hacker Ok But it means the desired property still holds! Policy

19 8 Oct 2001University of Virginia CS 58819 How many PCC systems in active use? 2 100 1000 1 Million 10 Million > 20 Million Java byte code verifier is a limited implementation of PCC: Bytecodes include extra information on typing, stack use, etc. Bytecode verifier checks it to enforce low-level code safety properties Peter Lee claims most linkers are instances of PCC also.

20 8 Oct 2001University of Virginia CS 58820 Authentication

21 8 Oct 2001University of Virginia CS 58821 How do you authenticate? Something you know –Password Something you have –SecureID, physical key Something you are –Biometrics (voiceprint, fingerprint, etc.) Decent authentication requires combination of at least 2 of these

22 8 Oct 2001University of Virginia CS 58822 Early Password Schemes UserIDPassword algoreinternalcombustion clintonbuddy georgewgorangers Login: algore Password: tipper Failed login. Guess again. Login does direct password lookup and comparison.

23 8 Oct 2001University of Virginia CS 58823 Login: algore Password: internalcombustion Terminal Trusted Subsystem Eve Login Process login sends

24 8 Oct 2001University of Virginia CS 58824 Authentication Problems Need to store the passwords somewhere – dangerous to rely on this being secure –Encrypt them? But then, need to hide key Need to transmit password from user to host –Use a secure line (i.e., no remote logins) –Encrypt the transmission (what key?)

25 8 Oct 2001University of Virginia CS 58825 Encrypted Passwords UserIDPassword algoreE (“internalcombustion”, K) clintonE (“buddy”, K) georgewE (“gorangers”, K) Hmmm.... D (E (“buddy”, K), K) = “buddy”

26 8 Oct 2001University of Virginia CS 58826 Hashed Passwords UserIDPassword algoreH (“internalcombustion”) clintonH (“buddy”) georgewH (“gorangers”)

27 8 Oct 2001University of Virginia CS 58827 Encrypted Passwords Try 1 Login: algore Password: internalcombustion Terminal Trusted Subsystem login sends <“algore”, H(“internalcombustion”)> Trusted subsystem compares to stored value.

28 8 Oct 2001University of Virginia CS 58828 Encrypted Passwords Try 2 Login: algore Password: internalcombustion Terminal Trusted Subsystem login sends Trusted subsystem computes H(“internalcombustion”) and compares to stored value.

29 8 Oct 2001University of Virginia CS 58829 First UNIX Password Scheme [Wilkes68] (recall DES was 1976) Encryption based on M-209 cipher machine (US Army WWII) Easy to invert unknown plaintext and known key, used password as key: –Instead of E K (password) used hash function E Password (0) PDP-11 could check all 5 or less letter lower-case passwords in 4 hours!

30 8 Oct 2001University of Virginia CS 58830 Making Brute Force Attacks Harder Use a slower encryption (hashing) algorithm –Switched to DES: H(p) = DES p (0) Even slower: run DES lots of times –UNIX uses DES p 25 (0) … DES p (DES p (DES p (DES p (0)))) Require longer passwords –DES key is only 56 bits: only uses first 7.5 characters (ASCII) –95 printable characters, 95 8 = 6.6 * 10 15

31 8 Oct 2001University of Virginia CS 58831 Dictionary Attacks Try a list of common passwords –All 1-4 letter words –List of common (dog) names –Words from dictionary –Phone numbers, license plates –All of the above in reverse Simple dictionary attacks retrieve most user-selected passwords Precompute H(x) for all dictionary entries

32 8 Oct 2001University of Virginia CS 58832 86% of users are dumb Single ASCII character0.5% Two characters2% Three characters14% Four alphabetic letters14% Five same-case letters21% Six lowercase letters18% Words in dictionaries or names15% Other (possibly good passwords)14% (Morris/Thompson 79)

33 8 Oct 2001University of Virginia CS 58833 Making Dictionary Attacks Harder Force/convince users to pick better passwords –Test selected passwords against a known dictionary –Enforce rules on non-alphabet characters, length, etc. Don’t let attacker see the password file

34 8 Oct 2001University of Virginia CS 58834 Problems with User Rules Users get annoyed If you require hard to remember passwords, users write them down Attackers know the password selection rules too – reduces search space!

35 8 Oct 2001University of Virginia CS 58835 True Anecdote One installation: machines generated random 8-letter passwords Used PDP-11 pseudo-random number generator with 2 15 possible values Time to try all possible passwords on PDP-11: One minute! Good news: at least people don’t have to remember the 8 random letters

36 8 Oct 2001University of Virginia CS 58836 Everybody loves Buddy UserIDPassword algoreDES 25 internal combustion (0) clintonDES 25 buddy (0) georgewDES 25 goranger s (0) hillarycDES 25 buddy (0)

37 8 Oct 2001University of Virginia CS 58837 Salt of the Earth UserIDSaltPassword algore1125DES+ 25 (0, “internal”, 1125 ) clinton2437DES+ 25 (0, “buddy”, 2437) georgew932DES+ 25 (0, “goranger”, 932) hillaryc1536DES+ 25 (0, “buddy”, 1536) How much harder is the off-line dictionary attack? DES+ (m, key, salt) is DES except with salt-dependent E-tables. Salt: 12 random bits (This is the standard UNIX password scheme.)

38 8 Oct 2001University of Virginia CS 58838 Security of UNIX Passwords Paper by Robert Morris (Sr.) and Ken Thompson, 1979 (link on manifest) Demonstration of guessability of Unix passwords by Robert Morris, Jr. (Internet Worm, 1988) L0ftcrack breaks ALL alphanumeric passwords in under 24 hours on Pentium II/450 (Windows NT)

39 8 Oct 2001University of Virginia CS 58839 What about Eve? Login: algore Password: internalcombustion Terminal Trusted Subsystem login sends Trusted subsystem computes DES+ 25 (0, “internal”, 12) and compares to stored value. Eve

40 8 Oct 2001University of Virginia CS 58840 ssh hh hh.... Be very quiet so Eve can’t hear anything –Encrypt the communication between the terminal and the server –How? (Next class…) Stay for Amy Felty’s Talk

Download ppt "David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 12: Public-Key Protocols."

Similar presentations

COS 461 Fall 1997 Todays Lecture u intro to security in networking –confidentiality –integrity –authentication –authorization u orientation for assignment.

COS 461 Fall 1997 Todays Lecture u intro to security in networking –confidentiality –integrity –authentication –authorization u orientation for assignment.
Lecture 5: Cryptographic Hashes

Lecture 5: Cryptographic Hashes
David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 20: Total Correctness; Proof-

David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 20: Total Correctness; Proof-
David Evans CS588: Cryptography University of Virginia Computer Science Lecture 17: Public-Key Protocols.

David Evans CS588: Cryptography University of Virginia Computer Science Lecture 17: Public-Key Protocols.
Computer Security Set of slides 5 Dr Alexei Vernitski.

Computer Security Set of slides 5 Dr Alexei Vernitski.
CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.

CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.
Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.

Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.
David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 11: Birthday Paradoxes.

David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 11: Birthday Paradoxes.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Cryptography in World War II Jefferson Institute for Lifelong Learning at UVa Spring 2006 David Evans Class 4: Modern Cryptography

Cryptography in World War II Jefferson Institute for Lifelong Learning at UVa Spring 2006 David Evans Class 4: Modern Cryptography
Intro To Secure Comm. Exercise 2. Problem  You wish for your users to access a remote server via user and password.  All of the users have modems and.

Intro To Secure Comm. Exercise 2. Problem  You wish for your users to access a remote server via user and password.  All of the users have modems and.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.

1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
Public-key Cryptography Montclair State University CMPT 109 J.W. Benham Spring, 1998.

Public-key Cryptography Montclair State University CMPT 109 J.W. Benham Spring, 1998.
CSE331: Introduction to Networks and Security Lecture 23 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 23 Fall 2002.
Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.

Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.
CS1001 Lecture 24. Overview Encryption Encryption Artificial Intelligence Artificial Intelligence Homework 4 Homework 4.

CS1001 Lecture 24. Overview Encryption Encryption Artificial Intelligence Artificial Intelligence Homework 4 Homework 4.

Similar presentations

Ads by Google