Security introduction
This presentation is the property of its rightful owner.
Sponsored Links
1 / 38

Security Introduction PowerPoint PPT Presentation


  • 44 Views
  • Uploaded on
  • Presentation posted in: General

Security Introduction. Class 11 18 February 2003. Overview. Security Properties Security Primitives Sample Protocols. Introducing Protocol Participants. Alice (usually the protocol initiator) Bob, Alice’s friend Eve the eavesdropper Mallory the malicious adversary

Download Presentation

Security Introduction

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Security introduction

Security Introduction

Class 11

18 February 2003


Overview

Overview

  • Security Properties

  • Security Primitives

  • Sample Protocols


Introducing protocol participants

Introducing Protocol Participants

  • Alice (usually the protocol initiator)

  • Bob, Alice’s friend

  • Eve the eavesdropper

  • Mallory the malicious adversary

  • Trent the trusted server


Security properties

Security Properties

  • Confidentiality (secrecy)

    • Eve cannot get any information

    • Semantic security

      • Even if Eve knows plaintext/ciphertext pairs, she cannot learn any new information

  • Integrity

    • Prevent modification

  • Authentication

    • Prevent impersonation

    • Bob knows that Alice sent message


Security properties cont

Security Properties (cont)

  • Non-repudiation

    • Alice cannot deny having created message

  • Freshness

    • Bob knows that Alice’s message is recent

    • Replay protection

      • Mallory cannot replay Alice’s messages


Security primitives

Security Primitives

  • Asymmetric (public-private key)

    • Diffie-Hellman key agreement

    • Public-key encryption

    • Digital signature

  • Symmetric (shared-key, same-key)

    • Block cipher (pseudo-random permutation PRP)

    • Stream cipher (pseudo-random generators PRG)

    • Message authentication code (MAC)

  • Others (unkeyed symmetric)

    • One-way function

    • Cryptographic hash function


Asymmetric primitives

Asymmetric Primitives

  • Diffie-Hellman key agreement

    • Public values: large prime p, generator g

    • Alice has secret value a, Bob has secret b

    • A  B: ga (mod p)

    • B  A: gb

    • Bob computes (ga)b = gab

    • Alice computes (gb)a = gab

    • Eve cannot compute gab


Asymmetric primitives ii

Asymmetric Primitives II

  • Problem: man-in-the-middle attack

  • Mallory can impersonate Alice to Bob, Bob to Alice

    • A  M: ga (mod p)

    • M  A: gm

    • M  B: gm

    • B  M: gb

    • Bob computes (gm)b = gbm

    • Alice computes (gm)a = gam


Asymmetric primitives iii

Asymmetric Primitives III

  • Public-key encryption

  • El-Gamal encryption

    • Public values: large prime p, generator g

    • Alice has public key ga (mod p), private key a

    • Bob wants to send message M to Alice

    • Bob picks random x, computes (ga)x = gax

    • B  A: gx, Mgax


Asymmetric primitives iv

Asymmetric Primitives IV

  • Digital Signatures

  • RSA signature

    • Alice has large secret primes p, q

    • Pick e, compute d s.t. ed = 1 mod (pq)

    • Public key N=pq, e

    • Private key p, q, d

    • Signature generation of message M = H(M)d mod N

    • Signature verification:e = H(M)ed = H(M)1 + K(pq) = H(M) (mod N)


Symmetric primitives

Symmetric Primitives

  • Block cipher is a pseudo-random permutation (PRP), each key defines a one-to-one mapping

  • Encryption: EK(plaintext) = ciphertext

  • Decryption: DK(ciphertext) = plaintext

  • We write {plaintext}K for EK(plaintext)

  • Encrypt each block separately

  • Examples: DES, Rijndael


Symmetric primitives ii

Symmetric Primitives II

  • Stream ciphers use pseudo-random generators (PRG)

  • PRG

    • Input: seed

    • Output: pseudo-random stream

  • Encryption: use shared key k and initialization vector IV for the seed ciphertext = plaintext  PRG( k, IV )

  • Send IV, ciphertext

  • Examples: RC4, SEAL


Symmetric primitives iii

Symmetric Primitives III

  • Message authentication codes (MAC)

  • “Cryptographic checksum”, keyed hash

  • Provides authentication, integrity

  • Send M, MAC( K, M )

  • Example: HMAC-MD5

    • HMAC-MD5(K, M ) = MD5(K  opad || MD5(K  ipad || M))

    • ipad = 3636..36, opad = 5C5C..5C


Cryptographic hash functions

Cryptographic Hash Functions

  • Maps arbitrary-length input into finite length output

  • Properties of a secure hash function

    • One-way: Given y = H(x), cannot find x’ s.t. H(x’) = y

    • Weak collision resistance: Given x, cannot find x’ ≠ x s.t. H(x) = H(x’)

    • Strong collision resistance: Cannot find x, x’ s.t. H(x) = H(x’)

  • Example: MD5, SHA-1


One way hash chains

K3

K4

One-Way Hash Chains

  • Versatile cryptographic primitive

  • Construction

    • Pick random rN and public one-way function F

    • ri = F(ri+1)

    • Secret value: rN , public value r0

  • Properties

    • Use in reverse order of construction: r1 , r2 … rN

    • Infeasible to derive ri from rj (j<i)

    • Efficiently authenticate ri knowing rj (j<i):verify rj = Fi-j(ri)

    • Robust to missing values

F

F

F

F

K5

K5

K6

K7


Comparison sym vs asym crypto

Symmetric crypto

72 bit key for high security (2000)

~1,000,000 ops/s

10x speedup in HW

Asymmetric crypto

1024 bit key for high security (RSA)

~100 signatures/s~1000 verify/s (RSA)

Marginal speedup in HW

Comparison Sym vs Asym Crypto


Sample protocols

Sample Protocols

  • Sensor network encryption protocol (SNEP)

  • Broadcast authentication TESLA

  • PayWord

  • MicroMint


Spins assumptions

SPINS Assumptions

  • Communication

    • Frequent node-base station exchanges

    • Frequent network flooding from base

    • Node-node interactions infrequent

  • Base station

    • Sufficient memory, power

    • Shares secret key with each node

  • Node

    • Limited resources, limited trust


Snep security goals

SNEP Security Goals

  • Secure point-to-point communication

    • Confidentiality

    • Secrecy

    • Authenticity

    • Integrity

    • Message freshness to prevent replay

  • Existing protocols use expensive asymmetric crypto (e.g. SSL/TLS, IPSEC)


Basic crypto primitives

Basic Crypto Primitives

  • Code size constraints  code reuse

  • Uses block cipher encrypt function

    • Counter mode encryption

    • Cipher-block-chaining message authentication code (MAC)

    • Pseudo-random generator


Snep protocol details

SNEP Protocol Details

  • A and B share

    • Encryption keys: KAB KBA

    • MAC keys: K'AB K'BA

    • Counters: CA CB

  • To send data D, A sends to B:A B:{D}<KAB, CA> ,MAC( K'AB , [CA || {D}<KAB, CA>] )


Snep properties

SNEP Properties

  • Secrecy & confidentiality

    • Semantic security against chosen ciphertext attack

    • Strongest security notion for encryption

  • Authentication

  • Replay protection

  • Code size: 1.5 Kbytes

  • Strong freshness protocol


Need to stretch

Need to Stretch?


Broadcast authentication

Broadcast Authentication

  • Broadcasts data over wireless network

  • Packet injection usually easy

  • Each receiver can verify data origin

Alice

M

Sender

M

Dave

M

M

Bob

Carol


Authentication needs asymmetry

Msg, MAC(K,Msg)

Msg, MAC(K,Msg)

Forged Msg, MAC(K, Forged Msg)

MAC: Message Authentication Code

(authentication tag)

Authentication Needs Asymmetry

Sender

K

K = shared key

Alice

K

Bob

K


Digital signatures do not work

Digital Signatures Do Not Work

  • Signatures are expensive, e.g., RSA 1024:

    • High generation cost (~10 milliseconds)

    • High verification cost (~1 millisecond)

    • High communication cost (128 bytes/packet)

  • Very expensive on low-end processors

  • If we aggregate signature over multiple packets, intolerant to packet loss


Tesla

TESLA

  • Timed Efficient Stream Loss-tolerant Authentication

  • Uses only symmetric cryptography

  • Asymmetry via time

    • Delayed key disclosure

    • Requires loose time synchronization

  • Published in IEEE Security and Privacy 2000,NDSS 2001 [PCST]


Basic authentication mechanism

1: Verify K

2: Verify

MAC

3: P Authentic!

Basic Authentication Mechanism

F: public one-way function

P

F(K)

Authentic

Commitment

K

disclosed

MAC(K,P)

t


Security condition

Security Condition

  • Receiver knows key disclosure schedule

  • Security condition (for packet P): on arrival of P, receiver is certain that sender did not yet disclose K

  • If security condition not satisfied, drop packet


Tesla1

  • Authentication of P1: MAC(K5, P1 )

Authenticate K5

F

F

F

F

K3

K4

Verify MAC

P2

K5

TESLA

  • Keys disclosed 2 time intervals after use

  • Receiver setup: Authentic K3, key disclosure schedule

K5

K5

K6

K7

t

Time 3

Time 4

Time 5

Time 6

Time 7

P1

K3


Tesla robust to packet loss

Authenticate K5

F

F

P3

P5

K3

K5

P1

P2

P4

Verify MACs

K2

K2

K4

TESLA: Robust to Packet Loss

K3

K4

K5

K6

K7

t

Time 4

Time 5

Time 6

Time 7


Tesla summary

TESLA Summary

  • Low overhead

    • Communication (~ 20 bytes)

    • Computation (~ 1 MAC computation per packet)

  • Perfect robustness to packet loss

  • Independent of number of receivers

  • Delayed authentication

  • Extensions:

    • TIK: Instant key disclosure

    • Heterogeneous receivers

    • Instant authentication (sender buffers data)


Payword and micromint

PayWord and MicroMint

  • PayWord: a credit-based scheme using one-way hash chain:w0 w1 w2 w3 ...

  • MicroMint: digital coins as k-way hash function collisions: x1 x2 x3 x4y


Payword payment model

PayWord Payment Model

  • Broker model to intermediate and aggregate

Banks and Credit-card

companies

Broker

1. Obtain

authorization or

coins

3. Redeem payments

User

(Inner loop)

Vendor

2. Purchase information from vendor; pay.


Payword

PayWord

  • Broker signs User’s public key (certificate)

  • User creates one-way hash chain to buy goods from vendor, c0 , …, cN

  • Each one-way chain element has value v

  • User signs c0 and sends it to vendor

  • User can incrementally pay by revealing successive elements ci

  • Vendor redeems payment by cashing largest element cj , value = v*j


Micromint

MicroMint

  • A digital coin should be:

    • Hard to produce [except by Broker]

    • Easy to verify [by anyone]

  • Digital signatures “work,” but are relatively expensive

  • MicroMint uses hash functions only (no public-key crypto)

  • Broker utilizes economy of scale to produce MicroMint coins cheaply (as with a regular mint)


Economy of scale in micromint

Economy of Scale in MicroMint

Probability of finding collision

Number of balls thrown


Minting micromint coins

Minting MicroMint Coins

  • Pick a one-way hash function F, mapping inputs to n-bit outputs

  • A valid coin is a k-way collision

  • Find v1, …, vk, s.t. F(v1) = … = F(vk)

  • Verification is very efficient

  • Producing first 2-way collision requires time 2n/2(birthday paradox)

  • Producing firstk-way collision requires time Nk = 2n(k-1)/k

  • Time cNkyields ckcoins; once threshold of Nk is passed, coins are produced rapidly


  • Login