- 44 Views
- Uploaded on
- Presentation posted in: General

Security Introduction

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Security Introduction

Class 11

18 February 2003

- Security Properties
- Security Primitives
- Sample Protocols

- Alice (usually the protocol initiator)
- Bob, Alice’s friend
- Eve the eavesdropper
- Mallory the malicious adversary
- Trent the trusted server

- Confidentiality (secrecy)
- Eve cannot get any information
- Semantic security
- Even if Eve knows plaintext/ciphertext pairs, she cannot learn any new information

- Integrity
- Prevent modification

- Authentication
- Prevent impersonation
- Bob knows that Alice sent message

- Non-repudiation
- Alice cannot deny having created message

- Freshness
- Bob knows that Alice’s message is recent
- Replay protection
- Mallory cannot replay Alice’s messages

- Asymmetric (public-private key)
- Diffie-Hellman key agreement
- Public-key encryption
- Digital signature

- Symmetric (shared-key, same-key)
- Block cipher (pseudo-random permutation PRP)
- Stream cipher (pseudo-random generators PRG)
- Message authentication code (MAC)

- Others (unkeyed symmetric)
- One-way function
- Cryptographic hash function

- Diffie-Hellman key agreement
- Public values: large prime p, generator g
- Alice has secret value a, Bob has secret b
- A B: ga (mod p)
- B A: gb
- Bob computes (ga)b = gab
- Alice computes (gb)a = gab
- Eve cannot compute gab

- Problem: man-in-the-middle attack
- Mallory can impersonate Alice to Bob, Bob to Alice
- A M: ga (mod p)
- M A: gm
- M B: gm
- B M: gb
- Bob computes (gm)b = gbm
- Alice computes (gm)a = gam

- Public-key encryption
- El-Gamal encryption
- Public values: large prime p, generator g
- Alice has public key ga (mod p), private key a
- Bob wants to send message M to Alice
- Bob picks random x, computes (ga)x = gax
- B A: gx, Mgax

- Digital Signatures
- RSA signature
- Alice has large secret primes p, q
- Pick e, compute d s.t. ed = 1 mod (pq)
- Public key N=pq, e
- Private key p, q, d
- Signature generation of message M = H(M)d mod N
- Signature verification:e = H(M)ed = H(M)1 + K(pq) = H(M) (mod N)

- Block cipher is a pseudo-random permutation (PRP), each key defines a one-to-one mapping
- Encryption: EK(plaintext) = ciphertext
- Decryption: DK(ciphertext) = plaintext
- We write {plaintext}K for EK(plaintext)
- Encrypt each block separately
- Examples: DES, Rijndael

- Stream ciphers use pseudo-random generators (PRG)
- PRG
- Input: seed
- Output: pseudo-random stream

- Encryption: use shared key k and initialization vector IV for the seed ciphertext = plaintext PRG( k, IV )
- Send IV, ciphertext
- Examples: RC4, SEAL

- Message authentication codes (MAC)
- “Cryptographic checksum”, keyed hash
- Provides authentication, integrity
- Send M, MAC( K, M )
- Example: HMAC-MD5
- HMAC-MD5(K, M ) = MD5(K opad || MD5(K ipad || M))
- ipad = 3636..36, opad = 5C5C..5C

- Maps arbitrary-length input into finite length output
- Properties of a secure hash function
- One-way: Given y = H(x), cannot find x’ s.t. H(x’) = y
- Weak collision resistance: Given x, cannot find x’ ≠ x s.t. H(x) = H(x’)
- Strong collision resistance: Cannot find x, x’ s.t. H(x) = H(x’)

- Example: MD5, SHA-1

K3

K4

- Versatile cryptographic primitive
- Construction
- Pick random rN and public one-way function F
- ri = F(ri+1)
- Secret value: rN , public value r0

- Properties
- Use in reverse order of construction: r1 , r2 … rN
- Infeasible to derive ri from rj (j<i)
- Efficiently authenticate ri knowing rj (j<i):verify rj = Fi-j(ri)
- Robust to missing values

F

F

F

F

K5

K5

K6

K7

Symmetric crypto

72 bit key for high security (2000)

~1,000,000 ops/s

10x speedup in HW

Asymmetric crypto

1024 bit key for high security (RSA)

~100 signatures/s~1000 verify/s (RSA)

Marginal speedup in HW

- Sensor network encryption protocol (SNEP)
- Broadcast authentication TESLA
- PayWord
- MicroMint

- Communication
- Frequent node-base station exchanges
- Frequent network flooding from base
- Node-node interactions infrequent

- Base station
- Sufficient memory, power
- Shares secret key with each node

- Node
- Limited resources, limited trust

- Secure point-to-point communication
- Confidentiality
- Secrecy
- Authenticity
- Integrity
- Message freshness to prevent replay

- Existing protocols use expensive asymmetric crypto (e.g. SSL/TLS, IPSEC)

- Code size constraints code reuse
- Uses block cipher encrypt function
- Counter mode encryption
- Cipher-block-chaining message authentication code (MAC)
- Pseudo-random generator

- A and B share
- Encryption keys: KAB KBA
- MAC keys: K'AB K'BA
- Counters: CA CB

- To send data D, A sends to B:A B:{D}<KAB, CA> ,MAC( K'AB , [CA || {D}<KAB, CA>] )

- Secrecy & confidentiality
- Semantic security against chosen ciphertext attack
- Strongest security notion for encryption

- Authentication
- Replay protection
- Code size: 1.5 Kbytes
- Strong freshness protocol

- Broadcasts data over wireless network
- Packet injection usually easy
- Each receiver can verify data origin

Alice

M

Sender

M

Dave

M

M

Bob

Carol

Msg, MAC(K,Msg)

Msg, MAC(K,Msg)

Forged Msg, MAC(K, Forged Msg)

MAC: Message Authentication Code

(authentication tag)

Sender

K

K = shared key

Alice

K

Bob

K

- Signatures are expensive, e.g., RSA 1024:
- High generation cost (~10 milliseconds)
- High verification cost (~1 millisecond)
- High communication cost (128 bytes/packet)

- Very expensive on low-end processors
- If we aggregate signature over multiple packets, intolerant to packet loss

- Timed Efficient Stream Loss-tolerant Authentication
- Uses only symmetric cryptography
- Asymmetry via time
- Delayed key disclosure
- Requires loose time synchronization

- Published in IEEE Security and Privacy 2000,NDSS 2001 [PCST]

1: Verify K

2: Verify

MAC

3: P Authentic!

F: public one-way function

P

F(K)

Authentic

Commitment

K

disclosed

MAC(K,P)

t

- Receiver knows key disclosure schedule
- Security condition (for packet P): on arrival of P, receiver is certain that sender did not yet disclose K
- If security condition not satisfied, drop packet

- Authentication of P1: MAC(K5, P1 )

Authenticate K5

F

F

F

F

K3

K4

Verify MAC

P2

K5

- Keys disclosed 2 time intervals after use
- Receiver setup: Authentic K3, key disclosure schedule

K5

K5

K6

K7

t

Time 3

Time 4

Time 5

Time 6

Time 7

P1

K3

Authenticate K5

F

F

P3

P5

K3

K5

P1

P2

P4

Verify MACs

K2

K2

K4

K3

K4

K5

K6

K7

t

Time 4

Time 5

Time 6

Time 7

- Low overhead
- Communication (~ 20 bytes)
- Computation (~ 1 MAC computation per packet)

- Perfect robustness to packet loss
- Independent of number of receivers
- Delayed authentication
- Extensions:
- TIK: Instant key disclosure
- Heterogeneous receivers
- Instant authentication (sender buffers data)

- PayWord: a credit-based scheme using one-way hash chain:w0 w1 w2 w3 ...
- MicroMint: digital coins as k-way hash function collisions: x1 x2 x3 x4y

- Broker model to intermediate and aggregate

Banks and Credit-card

companies

Broker

1. Obtain

authorization or

coins

3. Redeem payments

User

(Inner loop)

Vendor

2. Purchase information from vendor; pay.

- Broker signs User’s public key (certificate)
- User creates one-way hash chain to buy goods from vendor, c0 , …, cN
- Each one-way chain element has value v
- User signs c0 and sends it to vendor
- User can incrementally pay by revealing successive elements ci
- Vendor redeems payment by cashing largest element cj , value = v*j

- A digital coin should be:
- Hard to produce [except by Broker]
- Easy to verify [by anyone]

- Digital signatures “work,” but are relatively expensive
- MicroMint uses hash functions only (no public-key crypto)
- Broker utilizes economy of scale to produce MicroMint coins cheaply (as with a regular mint)

Probability of finding collision

Number of balls thrown

- Pick a one-way hash function F, mapping inputs to n-bit outputs
- A valid coin is a k-way collision
- Find v1, …, vk, s.t. F(v1) = … = F(vk)
- Verification is very efficient
- Producing first 2-way collision requires time 2n/2(birthday paradox)
- Producing firstk-way collision requires time Nk = 2n(k-1)/k
- Time cNkyields ckcoins; once threshold of Nk is passed, coins are produced rapidly