1 / 36

Handbook of Applied Cryptography - CH1, from 1.7~1.13-

Handbook of Applied Cryptography - CH1, from 1.7~1.13-. Howon Kim 2017. 9.11. 1.7 Authentication & Identification. Authentication 다양한 의미를 가짐 entity authentication(identification), message authentication(data origin authentication), data integrity, non-repudiation, and key authentication.

jesselong
Download Presentation

Handbook of Applied Cryptography - CH1, from 1.7~1.13-

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Handbook of Applied Cryptography- CH1, from 1.7~1.13- Howon Kim 2017. 9.11

  2. 1.7 Authentication & Identification • Authentication • 다양한 의미를 가짐 • entity authentication(identification), message authentication(data origin authentication), data integrity, non-repudiation, and key authentication.

  3. 1.7.1 Identification • 식별: • 둘 중에서 하나가 참여한 나머지 두번째 party의 identity를 보장함 • 그리고 그 두번째 party는 evidence가 수집될 때 active해짐

  4. 1.7.2 Data origin authentication • 메시지 인증: • 메시지를 전송한 party 의신원(identity)를 메시지 보증을 받는 party에게 제공함.

  5. 1.8 Public Key Cryptography

  6. 1.8 Public Key Cryptography • e: Bob의 public key • d: Bob의 private key

  7. 1.8 Public Key Cryptography

  8. 1.8.2 The necessity of authentication in public-key systems • Adversary가 A에게 자신의공개키(e’)을 보냄(마치 B의 공개키 e인척함) • A는 B에게 보낼 msg를 Adversary의 공개키로 암호화해서 보내게 됨 • PKC 시스템에서의 impersonation 취약성 문제 • Figure 1.13 illustrates how an active adversary can defeat the system (decrypt messages intended for a second entity) without breaking the encryption system. This is a type of impersonation

  9. 1.8.3 Digital signatures from reversible public-key encryption

  10. 1.8.3 Digital signatures from reversible public-key encryption

  11. 1.8.4 Symmetric-key vs. Public Key Cryptography

  12. 1.8.4 Symmetric-key vs. Public Key Cryptography

  13. 1.8.4 Symmetric-key vs. Public Key Cryptography

  14. 1.8.4 Symmetric-key vs. Public Key Cryptography

  15. 1.9 Hash functions

  16. 1.10 Protocols and mechanisms

  17. 1.11 Key establishment, management, and certification

  18. 1.11.1 key management through symmetric-key technique nC2 The need for TTP(Trusted Third Party) for symmetric key management

  19. 1.11.2 key management through public-key tech. Advantages of this approach include: No trusted third party is required. The public file could reside with each entity. Only n public keys need to be stored to allow secure communications between any pair of entities, assuming the only attack is that by a passive adversary.

  20. 1.11.2 key management through public-key tech. To prevent this type of attack, the entities may use a TTP to certify the public key of each entity. The TTP has a private signing algorithm ST and a verification algorithm VT assumed to be known by all entities.

  21. 1.11.2 key management through public-key tech.

  22. 1.11.3 Trusted third parties and public-key certificate

  23. 1.12 Pseudorandom numbers and sequences

  24. 1.13 Classes of attacks & security models • Passive Attack vs. Active Attack • Passive Attack: • In passive attack, the attacker only monitors the communication channel • That is, this is a threats for confidentiality of data • Active Attack: • The attacker attempts to delete, add, or in some other way alther the transmission on the channel • This attack threaten data integrity and authentication as well as confidentiality

  25. 1.13.1 Attacks on encryption schemes (1/2) • The purpose of this attack is • Recover plaintext from ciphertext or even to deduce the decryption key (1) Ciphertext only attack • Deduce the decryption key or plaintext only observing from the ciphertext (2) Known plaintext attack • the adversary has a quantity of plaintext and corresponding ciphertext. (3) Chosen plaintext attack • The adversary chooses plaintext and is then given corresponding ciphertext. Subsequently, the adversary uses any information deduced in order to recover plaintext corresponding to previously unseen ciphertext. (4) Adaptive chosen plaintext attack • This is an is a chosen-plaintext attack wherein the choice of plaintext may depend on the ciphertext received from previous requests.

  26. 1.13.1 Attacks on encryption schemes (2/2) (5) Chosen ciphertext attack • This attack is one where the adversary selects the ciphertext and is then given the corresponding plaintext. • One way to mount such an attack is for the adversary to gain access to the equipment used for decryption (but not the decryption key, which may be securely embedded in the equipment). • The objective is then to be able, without access to such equipment, to deduce the plaintext from (different) ciphertext. (6) Adaptive Chosen ciphertext attack • This is a chosen-ciphertext attack where the choice of ciphertext may depend on the plaintext received from previous request

  27. 1.13.2 Attacks on protocols (1) Known key attack • In this attack an adversary obtains some keys used previously and then uses this information to determine new keys. (2) Replay attack • In this attack an adversary records a communication session and replays the entire session, or a portion thereof, at some later point in time. (3) Impersonation attack • Here an adversary assumes the identity of one of the legitimate parties in a network. (4) Dictionary attack • This is usually an attack against passwords.

  28. 1.13.2 Attacks on protocols (5)Forward search • This attack is similar in spirit to the dictionary attack and is used to decrypt messages. • Suppose that in an electronic bank transaction the 32 bit field which records the value of the transaction is to be encrypted using a public-key scheme. This simple protocol is intended to provide privacy of the value field – but does it? • An adversary could easily take all 2^32 possible entries that could be plaintext in this field and encrypt them using the public encryption function. (Remember that by the very nature of public-key encryption this function must be available to the adversary.) • By each of the 2^32 ciphertexts with the one which is actually encrypted in the transaction, the adversary can determine the plaintext. Here the public-key encryption function is not compromised, but rather the way it is used. (6) Interleaving attack • This 공개키로 암호화를 통해 보안성 유지하는 경우 공격자는 금액 field의 모든 경우의 값(2^32)을 생성한 후, 공개키로 암호화 시켜서 가지고 있고, 암호화된bit 패턴에 해당하는 것을 찾아서 어떤 금액인지 바로 알 수 있음  이로서, 공개키 암호 키에 대한 private key를공격없이 해당 공개키 암호시스템은 crack 된 것임 금액(32bits)

  29. 1.13.2 Attacks on protocols (5) Interleaving attack (1/2) • This type of attack usually involves some form of impersonation in an authentication protocol (see x12.9.1). (1)은 challenge이며, (2)는 challenge에 대한 response(rA가 B의 비밀키로 서명됨, B의 공개키로 풀어서 rA에 대한 서명값 확인하면, B가 맞구나라고 인증함. 추라 challenge를 A에 보냄(rB) (3)은 2nd response임. 즉,받은 rB를 A의 비밀키로 서명해서 보냄.

  30. 1.13.2 Attacks on protocols E ~ B 사이의 프로토콜은 앞의 프로토콜과 완전히 동일함. E는 B를 속여서 A인것처럼 동작함 (5) Interleaving attack (2/2) (2), (3) 프로토콜 내용을 바꾼다면 이런 공격은 피할 수는 있음. 혹은 메시지 ID를 부여하면 (2’)은 A~E 사이의 (2)번 메시지이지, E~B사이의 (3)번 메시지로 오인되지는 않음 혹은 (3)의 rA’을 rA로 바꾼다면, E가 보낸 rA와 A의 rA’을 같게 만들 방법이 없으므로 이 공격 해결가능함

  31. 1.13.3 Models for evaluation security • The model for evaluation of security (1/3) • The most practical security metrics are computational, provable, and ad-hoc methodology (1) Unconditional security

  32. 1.13.3 Models of evaluation security (2) Complexity theoretic security (3) Provable security

  33. 1.13.3 Models of evaluation security (4) Computational security

  34. 1.13.3 Models of evaluation security (5) Ad-hoc security

  35. 1.13.4 Perspective for computational security To evaluate the security of cryptographic schemes, certain quantities are often considered.

  36. 1.13.4 Perspective for computational security

More Related