Presentation is loading. Please wait.

Presentation is loading. Please wait.

David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 13: Authentication and Cash Cash.

Published byCaitlin Hines Modified over 9 years ago

Similar presentations

Presentation on theme: "David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 13: Authentication and Cash Cash."— Presentation transcript:

1 David Evans http://www.cs.virginia.edu/~evans CS588: Security and Privacy University of Virginia Computer Science Lecture 13: Authentication and Cash Cash is a problem. It’s annoying to carry, it spreads germs, and people can steal it from you. Checks and credit cards have reduced the amount of physical cash flowing through society, but the complete elimination of cash is virtually impossible. It’ll never happen; drug dealers and politicians would never stand for it. Checks and credit cards have an audit trail; you can’t hide to whom you gave money. Bruce Schneier, Applied Cryptography

2 10 Oct 2001University of Virginia CS 5882 Menu Authentication Digital Cash

3 10 Oct 2001University of Virginia CS 5883 Last Time Login: evans Password: ****** Terminal shankly.cs.virginia.edu login sends Trusted subsystem computes DES+ 25 memodn (0, salt) and compares to stored value. Eve

4 10 Oct 2001University of Virginia CS 5884 Simplified SSH Protocol Login: evans Password: ****** Terminal shankly.cs.virginia.edu login sends E KU shankly Eve Can’t decrypt without KR shankly

5 10 Oct 2001University of Virginia CS 5885 Actual SSH Protocol Client Server time KU S - server’s public host key KU t – server’s public key, changes every hour r – 256-bit random number generated by client KU S, KU t Compares to stored KU S 2 E KU S [E KU t [r]] || { IDEA | 3DES } 3 All traffic encrypted using r and selected algorithm. Can do regular login (or something more complicated). requests connection 1

6 10 Oct 2001University of Virginia CS 5886 Comparing to stored KU S It better be stored securely –PuTTY stores it in windows registry (HKEY_CURRENT_USER\Software\Simon Tatham\PuTTY\SshHostKeys)

7 10 Oct 2001University of Virginia CS 5887 Why Johnny Can’t Even Login SecureCRT Default choice!

8 10 Oct 2001University of Virginia CS 5888 ssh.com’s SSH

9 10 Oct 2001University of Virginia CS 5889 ssh Error

10 10 Oct 2001University of Virginia CS 58810 Jennifer Kahng’s TCC Thesis Project 31 % clicked Continue 2% typed in “yes” People are stupid Getting people to pay attention is difficult unless you really want to make them angry. (Security vs. convenience.) Only two people (of > 700) emailed webmaster about potential security vulnerability. 

11 10 Oct 2001University of Virginia CS 58811 Why Johnny (von Neumann) Can’t Even Login A smart attacker just replaces the stored key in registry –An ActiveX control can do this trivially –No warning from SSH when you now connect to the host controlled by the attacker (have to spoof DNS or intercept connection, but this is easy) No easy solution…see Question 4 from last year’s midterm

12 10 Oct 2001University of Virginia CS 58812 Recap – Authentication Problems Need to store the passwords somewhere – dangerous to rely on this being secure Need to transmit password from user to host Remaining problems: User’s pick bad passwords Even if everything is secure, can still watch victim type! Only have to mess up once

13 10 Oct 2001University of Virginia CS 58813 Solution – Don’t Reuse Passwords One-time passwords New users have to memorize a list of secure passwords and use one in turn for each login Host generates the list using cryptographic random numbers and stores it securely Users spend hours memorizing passwords...and better not forget one!

14 10 Oct 2001University of Virginia CS 58814 Challenge-Response Login: evans Terminal E KU shankly [“evans”] Challenge Challenge: What’s the 15 th word of the Jefferson Wheel Cipher Challenge? Response: of “of”

15 10 Oct 2001University of Virginia CS 58815 Challenge-Response Login: evans Terminal E KU mamba [“evans”] Challenge x Challenge: 2357938523 Response: f(x) f(x)

16 10 Oct 2001University of Virginia CS 58816 Challenge-Response Systems Ask a question, see if the answer is right Hard to make up questions only host and user can answer Question: x ? Answer: f(x). What’s a good choice for f ? –E (x, key known to both) –Still have to problem of storing the key SecureID systems work like this –Don’t need to send challenge, its the time

17 10 Oct 2001University of Virginia CS 58817 One-Time Use Passwords Can we create a sequence of passwords the host can check without storing anything useful to an attacker on the host? Recall: Unix repeated use passwords Host stores: H(p) User provides: x Password is valid if H(x) = H(p)

18 10 Oct 2001University of Virginia CS 58818 S-Key Alice picks random number R S-Key program generates H(R), H(H(R)),..., H 99 (R). Alice prints out these numbers and stores somewhere secure Host stores H 100 (R).

19 10 Oct 2001University of Virginia CS 58819 S/Key Login Alice enters H 99 (R). Host calculates H (H 99 (R)). Compares to stored H 100 (R). If they match, allows login And replaces old value with H 99 (R). Alice crosses off H 99 (R), enters H 98 (R) next time. S/Key uses MD4 for H

20 10 Oct 2001University of Virginia CS 58820 S/Key > keyinit Adding evans: Reminder - Only use this method if you are directly connected. If you are using telnet or rlogin exit with no password and use keyinit -s. Enter secret password: test Again secret password: test ID evans s/key is 99 sh69506 H 100 (test) = sh69506 What do I need to enter to log in?

21 10 Oct 2001University of Virginia CS 58821 S/Key > key -n 100 99 sh69506 Reminder - Do not use this program while logged in via telnet or rlogin. Enter secret password: test 0: KEEL FLED SUDS BOHR DUD SUP 1: TOW JOBS HOFF GIVE CHUB LAUD … 98: JEAN THEN WEAK ELAN SLOB GAS 99: MUG KNOB ACT ALOE REST TOO

22 10 Oct 2001University of Virginia CS 58822 Digital Cash

23 10 Oct 2001University of Virginia CS 58823 Properties of Physical Cash Universally recognized as valuable Easy to transfer Anonymous Big and Heavy –Average bank robbery takes $4552 –500 US bills / pound –Bill Gates net worth would be 400 tons in $100 bills Moderately difficult to counterfeit in small quantities Extremely difficult to get away with counterfeiting large quantities (unless you are Iran or Syria)

24 10 Oct 2001University of Virginia CS 58824 Real Cash Why does it have value? –Nice pictures of dead presidents (< 1¢) –Because it is hard to print (< 5¢) Because other people think it does –We trust our government not to print too much –People who forge it get sent to jail

25 10 Oct 2001University of Virginia CS 58825 Counterfeiting Secret Service siezed $209M in 1994 (of $380B circulated) Nearly 2/3 of US cash is in foreign countries Why did US bills change? –Iran and Syria probably print counterfeit US bills –They have a De la rue Giori (Switzerland) printing press, same as used for old US bills –1992 report, led to currency redesign Most foreign countries are smarter –Use of color –Obvious, well-known security features –Bigger bills for bigger denominations

26 10 Oct 2001University of Virginia CS 58826 IOU Protocol (Lecture 11) Alice Bob {KU A, KR A } M E KR A [H(M)] Judge M E KR A [H(M)] knows KU A Bob can verify H(M) by decrypting, but cannot forge M, E KR A [H(M)] pair without knowing KR A. M = “I, Alice, owe Bob $1000.”

27 10 Oct 2001University of Virginia CS 58827 IOU Protocol xUniversally recognized as valuable xEasy to transfer xAnonymous xHeavy ?Moderately difficult to counterfeit in small quantities ?Extremely difficult to get away with counterfeiting large quantities

28 10 Oct 2001University of Virginia CS 58828 What is cash really? IOU from a bank Instead of generating, “I, Alice, owe Bob $1000”, let’s generate, “I, the Trustworthy Trust Bank, owe the bearer of this note $1000.” Alice asks the bank for an IOU, and the bank deducts $1000 from her account.

29 10 Oct 2001University of Virginia CS 58829 Bank IOU Protocol Universally recognized as valuable Easy to transfer Anonymous xHeavy ?Moderately difficult to counterfeit in small quantities ?Extremely difficult to get away with counterfeiting large quantities

30 10 Oct 2001University of Virginia CS 58830 Counterfeiting Bank IOUs Assuming the hash and signature are secure Alice gives Bob bank IOU for $1000 Bob sends bank 100 copies of bank IOU The bank has lost $99 000. Bits are easy to copy! Hard to make something rare...

31 10 Oct 2001University of Virginia CS 58831 Bank Identifiers Bank adds a unique tag to each IOU it generates When someone cashes an IOU, bank checks that that IOU has not already been cashed Can’t tell if it was Alice or Bob who cheated Alice loses her anonymity – the bank can tell where she spends her money

32 10 Oct 2001University of Virginia CS 58832 Digital Cash, Protocol #1 1.Alice prepares 100 money orders for $1000 each. 2.Puts each one in a different sealed envelope, with a piece of carbon paper. 3.Gives envelopes to bank. 4.Bank opens 99 envelopes and checks they contain money order for $1000. 5.Bank signs the remaining envelope without opening it (signature goes through carbon paper).

33 10 Oct 2001University of Virginia CS 58833 Digital Cash, Protocol #1 cont. 6.Bank returns envelope to Alice and deducts $1000 from her account. 7.Alice opens envelope, and spends the money order. 8.Merchant checks the Bank’s signature. 9.Merchant deposits money order. 10.Bank verifies its signature and credits Merchant’s account.

34 10 Oct 2001University of Virginia CS 58834 Digital Cash, Protocol #1 Is it anonymous? Can Alice cheat? –Make one of the money orders for $100000, 1% chance of picking right bill, 99% chance bank detects attempted fraud. Better make the penalty for this high (e.g., jail) –Copy the signed money order and re-spend it. Can Merchant cheat? –Copy the signed money order and re-deposit it.

35 10 Oct 2001University of Virginia CS 58835 Digital Cash, Protocol #2 Idea: prevent double-spending by giving each money order a unique ID. Problem: how do we provide unique IDs without losing anonymity? Solution: let Alice generate the unique IDs, and keep them secret from bank.

36 10 Oct 2001University of Virginia CS 58836 Digital Cash, Protocol #2 1.Alice prepares 100 money orders for $1000 each, adds a long, unique random ID to each note. 2.Puts each one in a different sealed envelope, with a piece of carbon paper. 3.Gives envelopes to bank. 4.Bank opens 99 envelopes and checks they contain money order for $1000. 5.Bank signs the remaining envelope without opening it.

37 10 Oct 2001University of Virginia CS 58837 Digital Cash, Protocol #2 cont. 6.Bank returns envelope to Alice and deducts $1000 from her account. 7.Alice opens envelope, and spends the money order. 8.Merchant checks the Bank’s signature. 9.Merchant deposits money order. 10.Bank verifies its signature, checks that the unique random ID has not already been spent, credits Merchant’s account, and records the unique random ID.

38 10 Oct 2001University of Virginia CS 58838 Digital Cash, Protocol #2 Is it anonymous? Can Alice cheat? Can Merchant cheat? Can bank catch cheaters?

39 10 Oct 2001University of Virginia CS 58839 Mimicking Carbon Paper How does bank sign the envelope without knowing what it contains? Normal signatures Alice sends bank M Bank sends Alice, S M = E KR Bank (M) Alice shows S M to Bob who decrypts with banks public key.

40 10 Oct 2001University of Virginia CS 58840 Blind Signatures Alice picks random k between 1 and n. Sends bank t = mk e mod n. ( e from Bank’s public key). Bank signs t using private key d. Sends Alice: t d = (mk e mod n ) d mod n = (mk e ) d mod n  m d k ed mod n What do we know about k ed mod n ?

41 10 Oct 2001University of Virginia CS 58841 Blind Signatures Alice gets t d  m d k mod n Alice divides by k to get s m  m d k / k  m d mod n. Hence: bank can sign money orders without opening them!

42 10 Oct 2001University of Virginia CS 58842 Digital Cash Protocol #2 Instead of envelopes, Alice blinds each money order using a different randomly selected k i. The bank asks for any 99 of the k i ’s. The bank unblinds the messages (by dividing) and checks they are valid. The bank signs the other money order. Still haven’t solved the catching cheaters problem!

43 10 Oct 2001University of Virginia CS 58843 Anonymity for Non-Cheaters Spend a bill once – maintain anonymity Spend a bill twice – lose anonymity Have we seen anything like this?

44 10 Oct 2001University of Virginia CS 58844 Digital Cash 1.Alice prepares n money orders each containing: AmountUniqueness String: X Identity Strings: I 1 = (h(I 1L ), h(I 1R ))... I n = (h(I nL ), h(I nR )) Each I n pair reveals Alice’s identity (name, address, etc.). I = I iL  I iR. h is a secure, one-way hash function.

45 10 Oct 2001University of Virginia CS 58845 Digital Cash, cont. 2.Alice blinds (multiplies by random k ) all n money orders and sends them to bank. 3.Bank asks for any n-1 of the random k i s and all its corresponding identity strings. 4.Bank checks money orders. If okay, signs the remaining blinded money order, and deducts amount from Alice’s account.

46 10 Oct 2001University of Virginia CS 58846 Digital Cash, cont. 5.Alice unblinds the signed note, and spends it with a Merchant. 6.Merchant asks Alice to randomly reveal either I iL or I iR for each i. (Merchant chooses n -bit selector string.) 7.Alice sends Merchant corresponding I iL ’s or I iR ’s. 8.Merchant uses h to confirm Alice didn’t cheat.

47 10 Oct 2001University of Virginia CS 58847 Digital Cash, cont. 9.Merchant takes money order and identity string halves to bank. 10.Bank verifies its signature, and checks uniqueness string. If it has not been previously deposited, bank credits Merchant and records uniqueness string and identity string halves.

48 10 Oct 2001University of Virginia CS 58848 Digital Cash, cont. 11.If it has been previously deposited, bank looks up previous identity string halves. Finds one where both L and R halves are known, and calculates I. Arrests Alice. 12.If there are no i ’s, where different halves are known, arrest Merchant.

49 10 Oct 2001University of Virginia CS 58849 Digital Cash Protocol Universally recognized as valuable Easy to transfer Anonymous xHeavy Moderately difficult to counterfeit in small quantities ?Extremely difficult to get away with counterfeiting large quantities (unless you are Iran or Syria)

50 10 Oct 2001University of Virginia CS 58850 Digital Cash Summary Preserves anonymity of non-cheating spenders (assuming large bank and standard denominations) Doesn’t preserve anonymity of Merchants Requires a trusted off-line bank Expensive – lots of computation for one transaction Other schemes (Millicent, CyberCoin, NetBill, etc.) proposed for smaller transactions

51 10 Oct 2001University of Virginia CS 58851 Reading “Holiday” “… professors should make sure to keep at least one holiday stress-free.” - Tuesday’s Cav Daily Editorial You have no assignments next week! But…project presentations start week after Thanksgiving. So…either make lots of progress on your project next week, or plan on working on them a lot over Thanksgiving break.

52 10 Oct 2001University of Virginia CS 58852 Charge User Interfaces Matter – Especially for Security 86% of users pick dumb passwords, but everyone will click “Ok” to any security- related question Cryptographers can make infinite amounts of money!

Download ppt "David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 13: Authentication and Cash Cash."

Similar presentations

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
David Evans CS588: Cryptography University of Virginia Computer Science Lecture 18: Money

David Evans CS588: Cryptography University of Virginia Computer Science Lecture 18: Money
Computer Security Set of slides 5 Dr Alexei Vernitski.

Computer Security Set of slides 5 Dr Alexei Vernitski.
Information Assurance Management Key Escrow Digital Cash Week 12-1.

Information Assurance Management Key Escrow Digital Cash Week 12-1.
Understanding Networked Applications: A First Course Chapter 14 by David G. Messerschmitt.

Understanding Networked Applications: A First Course Chapter 14 by David G. Messerschmitt.
More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.

More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
Digital Cash Present By Kevin, Hiren, Amit, Kai. What is Digital Cash?  A payment message bearing a digital signature which functions as a medium of.

Digital Cash Present By Kevin, Hiren, Amit, Kai. What is Digital Cash?  A payment message bearing a digital signature which functions as a medium of.
20-763 ELECTRONIC PAYMENT SYSTEMS FALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 11 Electronic Cash.

ELECTRONIC PAYMENT SYSTEMS FALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 11 Electronic Cash.
Slide 1 Vitaly Shmatikov CS 378 Digital Cash. slide 2 Digital Cash: Properties uDigital “payment message” with properties of cash uUnforgeable Users cannot.

Slide 1 Vitaly Shmatikov CS 378 Digital Cash. slide 2 Digital Cash: Properties uDigital “payment message” with properties of cash uUnforgeable Users cannot.
Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.

Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.
David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 11: Birthday Paradoxes.

David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 11: Birthday Paradoxes.
Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.

Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.
 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.

 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
ELECTRONIC PAYMENT SYSTEMS 20-763 SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 11 Electronic Cash.

ELECTRONIC PAYMENT SYSTEMS SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 11 Electronic Cash.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)

Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)

Similar presentations

Ads by Google