1 / 40

Modern Cryptography Lecture 12

Modern Cryptography Lecture 12. Yongdae Kim. Admin Stuff. E-mail Subject should have [5471] in front, e.g. “[5471] Project proposal” CC TA: lin@cs.umn.edu Office hours Me: M 1:15 ~ 2:15, W 4:00 ~ 5:00 (and by appointment) TA: M 10:30 ~ 11:30, W 11:00 ~ 12:00 Work on projects

raheem
Download Presentation

Modern Cryptography Lecture 12

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Modern CryptographyLecture 12 Yongdae Kim

  2. Admin Stuff • E-mail • Subject should have [5471] in front, e.g. “[5471] Project proposal” • CC TA: lin@cs.umn.edu • Office hours • Me: M 1:15 ~ 2:15, W 4:00 ~ 5:00 (and by appointment) • TA: M 10:30 ~ 11:30, W 11:00 ~ 12:00 • Work on projects • 6th assignment is due 4/18 2:15 PM. • Check Calendar

  3. Recap • Math… • Proof techniques • Divisibility: a dividesb (a|b) if  c such that b = ac • GCD, LCM, relatively prime, existence of GCD • Eucledean Algorithm • d = gcd (a, b)   x, y such that d = a x + b y. • gcd(a, b) = gcd(a, b + ka) • Modular Arithmetic • a≡b (mod m) iff m | a-b iff a = b + mk for some k • a≡b (mod m), c≡d (mod m) a+c ≡(b+d) (mod m), ac ≡ bd (mod m) • gcd(a, n) =1  a has an arithmetic inverse modulo n. • Counting, probability, cardinality, … • Security Overview • one-way function if f(x) is easy to compute for all x  X, but it is computationally infeasible to find any x  X such that f(x) =y. • trapdoor one-way function if given trapdoor information, it becomes feasible to find an x  X such that f(x) =y.

  4. Recap • Cryptographic Primitives • SKE, PKE, Digital Signatures, Hash functions and MACs, Key Management through SKE, PKE • Block Ciphers • Modes of operation, meet-in-the-middle attack, Product cipher, Feistal cipher, DES • Hash function • Onewayness, weak/strong collision resistance, Birthday paradox • Merkle Damgard Construction • If the compression function is collision resistant, then strengthened Merkle-Damgård hash function is also collision resistant • Multi-collision attack, extension property • MAC • CBC-MAC, Secret prefix, Secret Suffix, HMAC • Authenticated Encryption

  5. Recap (cnt) • Advanced number theory • CRT, Euler theorem: If a  Zn* , then a f(n) =1 (mod n) • Cor: if r ´ s mod f(n) and (a, n)=1, then ar´ as (mod n) • Generator • If ordn(a) = f(n) then a is a generator of Zn*. • a is a generator iff a f(n)/p≠ 1 mod n for all p | f(n). • Let a  Zm* and ord(a) = h. Then ord(ak) = h/gcd(h, k). • RSA Encryption • n = pq, f(n) = (p-1)(q-1), gcd(f(n), e) = 1, ed 1 mod f(n) • A’s public key is (n, e); A’s private key is d • Encryption: compute c = me mod n, Decryption: m = cd mod n • RSA Security • Computing d from (n, e) and factoring n are computationally equivalent • n cannot be shared • Small encryption exponent e = 3 • Homomorphic property

  6. Recap (cnt) • Abstract Algebra • Group, cyclic groups, generator, group order, subgroup • Discrete logarithm problem • Diffie-Hellman • DLP vs. DHP, More efficient implementation (p, q, g) • Long-term vs. short-term Diffie-Hellman • ElGamal encryption • ElGamal vs. RSA encryption • RSA signature vs. DSA signature • Identificaiton: PINs and keys, graphical password, one-time pasword

  7. Another one-time password • Stores actual passwords on system side • Alice and Bob share a password P • Alice: generate r, send to Bob: (r, h(r, P)) • Check: Bob computes h(r, P), from given r, and local copy of P. • Security • Works only if r is something that will only be accepted once (else replay attack!) • Any other?

  8. Challenge-response authentication • Alice is identified by a secret she possesses • Bob needs to know that Alice does indeed possess this secret • Alice provides responseto a time-variant challenge • Response depends on both secret and challenge • Using • Symmetric encryption • One way functions • Public key encryption • Digital signatures

  9. Challenge Response using SKE • Alice and Bob share a key K • Taxonomy • Unidirectional authentication using timestamps • Unidirectional authentication using random numbers • Mutual authentication using random numbers • Unilateral authentication using timestamps • Alice  Bob: EK(tA, B) • Bob decrypts and verified that timestamp is OK • Parameter Bprevents replay of same message in B  A direction

  10. Challenge Response using SKE • Unilateral authentication using random numbers • Bob  Alice: rb • Alice  Bob: EK(rb, B) • Bob checks to see if rb is the one it sent out • Also checks “B” - prevents reflection attack • rb must be non-repeating • Mutual authentication using random numbers • Bob  Alice: rb • Alice  Bob: EK(ra, rb, B) • Bob  Alice: EK(ra, rb) • Alice checks that ra, rb are the ones used earlier

  11. Challenge-response using OWF • Instead of encryption, used keyed MAC hK • Check: compute MAC from known quantities, and check with message • SKID3 • Bob  Alice: rb • Alice  Bob: ra, hK(ra, rb, B) • Bob  Alice: hK(ra, rb, A)

  12. Challenge-response using PKE • Mutual Authentication based on PK decryption • Alice  Bob: PB(rA, B) • Bob  Alice: PA(rA, rB) • Alice  Bob: rB

  13. Challenge-response using DS • Timestamp-based • Alice  Bob: certA, tA, B, SA(tA, B) • Bob checks: • Timestamp OK • Identifier “B” is its own • Signature is valid (after getting public key of Alice using certificate) • Mutual Authentication using Signatures • Bob  Alice: rB • Alice  Bob: certA, rA, B, SA(rA,rB,B) • Bob  Alice: certB, A, SB(rA,rB,A)

  14. Key Establishment

  15. Classification and concepts • Use of trusted servers • key establishment involve a centralized or trusted party, for either or both initial system setup and on-line actions • trusted third party, authentication server, key distribution/ translation center, certification authority • secure key establishment • each party should be able to determine the true identity of the other(s) which could possibly gain access to the resulting key, implying preclusion of any unauthorized additional parties from deducing the same key • secrecy of key, and identification of those parties with access to it

  16. Classification and concepts

  17. Classification and concepts • (Implicit) Key authentication • Assurance that no other party aside from a specifically identified second party may gain access to a secret key • No explicit check! • Key confirmation • one party is assured that a second party actually has possession of a particular secret key • Explicit key authentication • both (implicit) key authentication and key confirmation • Possession of key: (keyed) one-way hash, encryption, ZK

  18. Classification and concepts • authenticated key establishment • key establishment + key authentication • identity-based • identity information of the party involved is used as public key • message-independent • messages sent by each party are independent of any per-session time-variant data (dynamic data) received from other parties • Message-independent protocols include non-interactive protocols (zero-pass and one-pass protocols)

  19. Why session key? • Def • ephemeral secret, i.e., one whose use is restricted to short time period after which all trace of it is eliminated • Motivation • to limit available ciphertext for cryptanalytic attack • to limit exposure, with respect to both time period and quantity of data, in the event of key compromise • to avoid long-term storage of a large number of distinct secret keys by creating keys only when actually required • to create independence across communications sessions or applications

  20. KE characteristics • nature: Any combination of entity authentication, key authentication, and key confirmation. • reciprocity of authentication: unilateral/mutual auth • key freshness • key control: key distribution vs. key agreement • efficiency • number of message exchanges • bandwidth required by messages • complexity of computations by each party • possibility of precomputation to reduce on-line complexity • third party requirements • requirement of an on-line (real-time), off-line, or no third party • type of certificate used • non-repudiation

  21. Assumptions, Adversaries • Attacks • passive attack: adversary simply records data, analyze • active attack: adversary modifies or injects messages • What are the attacker’s roles? • deduce a session key using info gained by tapping • participate covertly in protocol initiated by one party, and influence it by altering messages to deduce the key • initiate protocol executions and combine messages from one with another so as to carry out above attacks • without deducing the key, deceive good party regarding the identity of the party with which it shares a key

  22. PFS and Known Key Attacks • perfect forward secrecy • break long-term key ! break past session keys • previous traffic is locked securely in the past • generating session keys by DH key agreement, wherein DH exponentials are based on short-term keys • If long-term secrets are compromised, future session can be impersonated • known-key attack • compromise of past session keys allows either a passive adversary to compromise future session keys, or impersonation by an active adversary in the future. • in some environments, the probability of compromise of session keys may be greater than that of long-term keys

  23. Point-to-Point Key Update • Key Transport with one pass • A  B: EK(rA) • Implicit key authentication • Additional field • timestamp, sequence number: freshness • redundancy: explicit key authentication, message modification • target identifier: prevent undetectable message replay • Hence A  B: EK(rA, tA, B) • Mutual authentication: B  A: EK(rB, tB, A): K = f(rA, rB) • Key Transport with challenge-response • B  A: nB : for freshness • A  B: EK(rA, nA, nB, B) • B  A: EK(rB, nB, nA, A) • Cannot provide PFS • Authenticated Key Update Protocol • A  B: rA • B  A: (B, A, rA, rB), hK(B, A, rA, rB) • A  B: (A, rB), hK(A, rB) • W = h’K’(rB)

  24. Shamir’s no key algorithm • Protocol • A  B: KA mod p • B  A: (KA)B mod p • A  B: (KAB) A-1 mod p • Property • Provide key transport • No a priori information is required • Not necessarily modular exponentiation, but not one-time pad

  25. Kerberos • Basic • A, B, a TTP share long-term pairwise secret keys a priori • TTP either plays the role of KDC and itself supplies the session key, or serves as a key translation center (KTC) • A and B share no secret, T shares a secret with each • Goal: for B to verify A’s identity, establishing shared key • Description • A requests for credential to allow it to authenticate itself • T plays the role of a KDC, returning to A a session key encrypted for A and a ticket encrypted for B • The ticket contains the session key and A’s identity

  26. Kerberos (cnt.) • Protocol • A  T: A, B, NA NA: freshness • T  A: EKAT(k, A, L), EKBT(k, NA, L, B): L: lifetime • A  B: EKBT(k, A, L), Ek(A, TA, Asubkey) • B  A: Ek(TA, Bsubkey) Optional mutual authentication • Properties • secure and synchronized clocks • If password-based, protocol is susceptible to password-guessing attack • Asubkey and Bsubkey allow transfer of a key from A to B • Lifetime is intended to allow A to re-use the ticket

  27. A, B, NA EKBT(k, A, L), EKAT(k, NA, L, B) EKBT(k, A, L), Ek(A, TA, Asubkey) Ek(TA, Bsubkey) Recap: Kerberos T • EKBT(k, A, L): Token for B • EKAT(k, NA, L, B): Token for A • L: Life-time • NA? • Ek(A, TA, Asubkey): To prove B that A knows k • TA: Time-stamp • Ek(B, TA, Bsubkey): To prove A that B knows k B A

  28. EKGT(kAG, A, L), EKAT(kAG, NA, L, G) A, G, NA EKAG(kAB, NA’, L, B), EkGB(kAB, A, L, NA’) EKGT(kAG, A, L), EkAG(A, TA), B, NA’ EKGB (kAB, A, L, NA’), EkAB(A, TA’, Asubkey) Ek(TA’, Bsubkey) Recap: Kerberos (scalable) T (AS) G (TGS) B A

  29. Key Transport using PKC • Needham-Schroeder • Algorithm • A  B: PB(k1, A) • B  A: PA(k2, B) • A  B: PB(k2) • Properties: Mutual authentication, mutual key transport • Modified NS • Algorithm • A  B: PB(k1, A, r1) • B  A: PA(k2, r1, r2) • A  B: r2 • Removing third encryption

  30. Needham-Schroeder Algorithm A  B: PB(k1, A) B  A: PA(k1, k2, B) A  B: PB(k2) Modified NS Algorithm A  B: PB(k1, A, r1) B  A: PA(k2, r1, r2) A  B: r2 Removing third encryption Encrypting signed keys A  B: PB(k, tA, SA(B, k, tA)) Data for encryption is too large Encrypting and signing separately A  B: PB(k, tA), SA(B, k, tA) Acceptable only if no information regarding plaintext data can be deduced from the signature Signing encrypted keys A  B: tA, PB(A, k), SA(B, tA, PB(A, k)) Prevent the above problem Can provide mutual authentication Key Transport using PKC

  31. Combining PKE and DS • Assurances of X.509 strong authentication • identity of A, and the token received by B was constructed by A • the token received by B was specifically intended for B; • the token received by B has “freshness” • the mutual secrecy of the transferred key. • X.509 strong authentication • DA=(tA, rA, B, data1, PB(k1)), DB=(tB, rB, A, rA, data2, PA(k2)), • A  B: certA, DA, SA(DA) • B  A: certB, DB, SB(DB) • Comments • Since protocol does not specify inclusion of an identifier within the scope of the encryption PB within DA, one cannot guarantee that the signing party actually knows (or was the source of) plaintext key

  32. Hybrid Key Transport (PKE) • Beller-Yacobi (4 pass) • Properties • mutual authentication, explicit key authentication • for applications where there is imbalance in processing power • identity of the weaker remains concealed from eavesdroppers • Algorithm • B  A : certB = (IB, nB, GB) : certificate generated with RSA • A  B : PB(K) =K3 mod nB • B  A : EK(m, {0}t) : Encryption with symmetric key encryption • A  B : EK((v, w), certA) : DSA signature with precomputation • Comment • To achieve mutual authentication, each party carry out at least one private-key operation, and one or two public-key operations • careful selection of two separate public-key schemes • RSA PKE and ElGamal signature are cheap

  33. Hybrid Key Transport (PKE) • Beller-Yacobi (2 pass) • Algorithm (RSA vs. ElGamal again?) Terminal A Server B precompute x, v = gx mod nS select random challenge m verify certB via PT(GB)  send m, certB compute (v, w) =SA(m, IB) certB = (IB, nB, GB) send PB(v), Ev(certA, w)  recover v, set K = v certA = (IA, uA, GA) verify certA, signature (v, w) • IM: Identity of M, GM: Certificate of M, uA: ElGamal public key of A, nB: RSA modulus • Properties: slightly weaker authentication assurances • B obtains entity authentication of A and obtains a key K that A alone knows, while A has key authentication with respect to B • For A to obtain explicit key authentication of B, a third message may be added whereby B exhibits knowledge through use of K on a challenge or standard message (e.g., {0}t )

  34. Contents • Classification and framework • Key transport based on symmetric encryption • Key agreement based on symmetric techniques • Key transport based on public-key encryption • Key agreement based on asymmetric techniques • Analysis of key establishment protocols

  35. Diffie-Hellman • Diffie-Hellman • Setup: prime p, generator g of Zp* • A  B : gx mod p • B  A : gy mod p • Properties • fixed exponent: zero-pass key agreement with special certificate • Authentication is required

  36. MTI/A0 • Protocol • A  B : gx mod p • B  A : gy mod p • A: k = (gy)aPKbx = gya gbx = gya+bx • B: k = (gx)bPKay • source-substitution attack: C is not actually able to compute k itself, but rather causes B to have false belief • C registers A’s public key as its own • When A sends B, C replaces A’s certificate with its own • C forwards B’s response gy to A • B concludes that subsequently received messages encrypted by k = gbx+ay originated from C, it is only A who knows k and can originate such messages

  37. STS • Algorithm • A  B : gx mod p • B  A : gy mod p, Ek(SB(gy, gx)) • A  B : Ek(SA(gx, gy)) • Properties • Encryption under key k provides mutual key confirmation plus allows the conclusion that the party knowing the key is that which signed the exponentials.

  38. Contents • Classification and framework • Key transport based on symmetric encryption • Key agreement based on symmetric techniques • Key transport based on public-key encryption • Key agreement based on asymmetric techniques • Analysis of key establishment protocols

  39. Attack strategies and classic flaws • “man-in-the-middle” attack on unauthenticated DH • Reflection attack • Original protocol • A  B : rA • B  A : Ek(rA, rB) • A  B : rB • Attack • A  E : rA • E  A : rA : Starting a new session • A  E : Ek(rA, rA’) : Reply of (2) • E  A : Ek(rA, rA’) : Reply of (1) • A  E : rA’ • prevented by using different keys for different sessions

  40. Attack strategies and classic flaws • Interleaving attacks • To provide freshness and entity authentication • Flawed protocol • A  B : rA • B  A : rB, SB(rB, rA, A) • A  B : rA’, SA(rA’, rB, B) • Attack • E  B : rA • B  E : rB, SB(rB, rA, A) • E  A : rB • A  E : rA’, SA(rA’, rB, B) • E  B : rA’, SA(rA’, rB, B) • Due to symmetric messages (2), (3)

More Related