Presentation is loading. Please wait.

Presentation is loading. Please wait.

Class 4 Secure Channels and Practical Considerations CIS 755: Advanced Computer Security Spring 2015 Eugene Vasserman

Published byEdmund Leonard Modified over 9 years ago

Similar presentations

Presentation on theme: "Class 4 Secure Channels and Practical Considerations CIS 755: Advanced Computer Security Spring 2015 Eugene Vasserman"— Presentation transcript:

1 Class 4 Secure Channels and Practical Considerations CIS 755: Advanced Computer Security Spring 2015 Eugene Vasserman http://www.cis.ksu.edu/~eyv/CIS755_S15/

2 Administrative stuff Quiz I graded – Any problems? Periodically check main page for news and schedule page for changes and slides How were the “papers” for today? Teleconference information will change – Watch for email!

3 Last time: Basic primitives Confidentiality (encryption) – Symmetric (e.g. AES) – Asymmetric (e.g. RSA) Hash functions Integrity and authentication – Symmetric (authentication codes) – Asymmetric (signatures) Random numbers

4 Preview of Math in Asymmetric Crypto Diffie-Hellman – Discrete logarithm is “hard” – Computational, decisional (“flavors”) RSA – Prime factorization is “hard” Quantum computing and Shor’s algorithm Elliptic Curves Bilinear Maps

5 Person-in-the-middle Alice Bob Alice Confidential NOT Authenticated Bob ?

6 Muahaha! Person-in-the-middle Alice Bob Alice? NOT Confidential NOT Authenticated Bob

7 Certificates Alice Bob Alice! Confidential Authenticated Bob CRAP!

8 Confidential? Authenticated? PKI Example: Confidential email Bob Alice Bob Alice?

9 Confidential Authenticated PKI Example: Confidential email Bob Alice Bob Alice!

10 Questions?

11 In practice: Optimizations Asymmetric encryption: – Password  Secret Key  E SK (K), E K (M) Signatures: – Password  Secret Key  M, Sig SK (h(M)) Why do this? Why is this safe? Symmetric: – Password  Key derivation/stretching/strengthening function  K

12 In practice: Problems Composability: http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html Attack on PKCS #1 v2 standard-compliant RSA OAEP leaks plaintext bits: http://www.springerlink.com/content/tw5tuqb3hxbn9grq / This attack also leaks plaintext bits in a lot of systems that use CBC block cipher mode: http://lasecwww.epfl.ch/pub/lasec/doc/Vau02a.ps xkcd.com

13 Example: WEP – IV, RC4(IV, k)  (M, c(M)) – Claim: 24-bit IV + 40-bit key = 64-bit security Example: WEP – IV, RC4(IV, k)  (M, c(M)) – Claim: 24-bit IV + 40- bit key = 64-bit security On the right: text from Jonathan Katz Problems: Composability Is this secure against chosen-plaintext attacks? – It is randomized… 40-bit key (in some implementations)! – Claims that, with IV, this gives a 64-bit effective key(!) And how is the IV chosen? – Only 24 bits long -- IV repetitions are a problem! – Reset to 0 upon re-initialization – Some implementations increment the IV as a counter A repeating IV allows the attacker to compute the XOR of two plaintexts – We have discussed already how this can be damaging Small IV space means the attacker can build a dictionary of (IV, RC4(IV, k)) pairs – If portions of some plaintexts known, this enables determination of other plaintexts Known-plaintext attacks discovered on this usage of RC4 – Possible because the first byte of plaintext is a fixed, known header! Chosen-plaintext attacks – Send IP traffic/e-mail to the mobile host and watch it get forwarded – Transmit broadcast messages to access point – Authentication spoofing No cryptographic integrity protection – The checksum is linear (i.e., c(x  y) = c(x)  c(y)) and unkeyed, and therefore easy to attack – Allows IP redirection attack – Allows TCP “reaction” attacks Look at whether TCP checksum is valid Form of chosen-ciphertext attack Encryption used to provide authentication of mobile station (access point sends nonce; station returns an encryption of the nonce) – Allows easy spoofing after eavesdropping

14 Problems: Side channels Side-channel attacks VERY damaging – Power – Timing See news (2013) and cool stuff (2014) pagesnewscool stuff – Error messages! Different errors in SSH leak information (mismatch between implementation and specification of CBC block cipher mode): http://portal.acm.org/citation.cfm?id=586112

15 Questions?

16 Exercise How do we design a naïve asymmetric encryption scheme from everything we have learned so far? RSA does not provide integrity. Why? Malleable vs. non-malleable Why might we sometimes want malleable?

17 Cool stuff Elliptic curves – y 2 = x 3 + ax + b Secure multiparty computation – General existence result Communication complexity Threshold cryptography – Encryption, signatures, secret sharing

18 More cool stuff Identity-based encryption (IBE) – Time period-based Attribute-based encryption (ABE) Zero-knowledge (ZK) proofs – General existence result in NP – Interactive or non-interactive (NZIK) Strength from number of rounds or predefined Homomorphic encryption

19 Yet more cool stuff Key management – Key trees Hierarchical, time-based access One-time use tokens – Compare to capabilities Blind signatures Compact signature aggregation Commitments (vs. hashes)

20 Questions?

21 Today’s readings Bryant – Designing an Authentication System: a Dialogue in Four Scenes. MIT, 1988. (Kerberos V4) Afterword by Ts’o. MIT, 1997. (Kerberos V5) Fu, Sit, Smith, and Feamster – Dos and Don'ts of Client Authentication on the Web. 2001.

22 User authentication What do we usually think of? – Passwords! In essence: something only you know What does authentication provide? – Access control In essence: access to a limited resource

23 Access control Authentication → access No authentication → no access What are we protecting? Who is our adversary? – Threat model Who is trusted? Where does enforcement occur?

24 My voice is my passport; authorize me! User A says: – I want access to resource R – Kerberos server, authenticate me! R does not know if A has rights to access R Kerberos server: – Checks if A is who she says she is – Checks if A is authorized for access to R R trusts Kerberos server but not A

25 Authentication → capability → access Kerberos server issues a “token” T to A – T is tied to A – T expires – T cannot be generated by anyone other than Kerberos server (cannot be forged) T tells resource R that: – T was issued by the Kerberos server – A has the right to access R for a limited time

26 Questions? Why SSL, not Kerberos, for e-commerce? What’s the major difference between SSL certificates and Kerberos tokens? What’s the “SSL equivalent” of a Kerberos server?

27 Partially implied assumptions Kerberos server is trusted User is not the “client” (software)

28 V5 and Encrypt-then-MAC Changes in Kerberos V5: – Replay protection beyond timestamps – One fewer layer of encryption – Secure delegation Mechanism for verifying decryption is incorrect: should use encrypt-then-MAC – More secure then MAC-then-encrypt or encrypt-and-MAC (provably secure, in fact!)

29 SSL 3.0/TLS 1.0 vulnerabilities US CERT Vulnerability Note VU#864643: SSL 3.0 and TLS 1.0 allow chosen plaintext attack in CBC modes US CERT Vulnerability Note VU#864643 “An attacker with the ability to pose as a man-in-the- middle and to generate specially-crafted plaintext input could decrypt the contents of an SSL- or TLS- encrypted session. This could allow the attacker to recover potentially sensitive information (e.g., HTTP authentication cookies).” NOT new – known CBC-mode attacks

30 Exercise How do we handle password-based authentication over an insecure channel?

31 Exercise Design and sketch an implementation of an expiring capability (similar to a Kerberos token) in terms of what we have learned so far

32 Questions? Reading discussion

Download ppt "Class 4 Secure Channels and Practical Considerations CIS 755: Advanced Computer Security Spring 2015 Eugene Vasserman"

Similar presentations

CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Security S-72.3240 Wireless Personal, Local, Metropolitan, and Wide Area Networks1 Contents Security requirements Public key cryptography Key agreement/transport.

Security S Wireless Personal, Local, Metropolitan, and Wide Area Networks1 Contents Security requirements Public key cryptography Key agreement/transport.
CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 10 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 10 Jonathan Katz.
Sri Lanka Institute of Information Technology

Sri Lanka Institute of Information Technology
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
CMSC 414 Computer and Network Security Lecture 11 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 11 Jonathan Katz.
15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.

15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.
Lesson Title: Introduction to Cryptography Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas

Lesson Title: Introduction to Cryptography Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Chapter 5 Cryptography Protecting principals communication in systems.

Chapter 5 Cryptography Protecting principals communication in systems.
Wireless Security In wireless networks. Security and Assurance - Goals Integrity Modified only in acceptable ways Modified only by authorized people Modified.

Wireless Security In wireless networks. Security and Assurance - Goals Integrity Modified only in acceptable ways Modified only by authorized people Modified.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

Similar presentations

Ads by Google