crypto conclusion maybe
play

Crypto Conclusion (maybe) Message Authentication Codes Key - PowerPoint PPT Presentation

Dec 25, 2022 •32 likes •512 views

Crypto Conclusion (maybe) Message Authentication Codes Key Management Fall 2018 CS 334: Computer Security 1 Message Authentication message authentication is concerned with: protecting the integrity of a message Confirming

  1. 
 Crypto Conclusion (maybe) Message Authentication Codes Key Management Fall 2018 CS 334: Computer Security 1

  2. Message Authentication • message authentication is concerned with: – protecting the integrity of a message – Confirming identity of sender – non-repudiation of origin (dispute resolution) – Very important for e-commerce • will consider the security requirements • then three alternative functions used: – message encryption – message authentication code (MAC) – hash function Fall 2018 CS 334: Computer Security 2

  3. General Security Requirements • disclosure This is message confidentiality. • traffic analysis We’ve dealt with it already. • Masquerade: insertion of message into network from fraudulent source • content modification: modification to content of message • sequence modification: modification to a sequence of messages, including insertion, deletion, reordering, etc. All the rest are authentication or integrity issues (including next slide) Fall 2018 CS 334: Computer Security 3

  4. General Security Requirements • Timing modification: Delay or replay of messages – E.g. in a connection-oriented application (say one that uses TCP) an entire session could be a replay of some previous valid session • Source repudiation: denial of transmission of message by source • Destination repudiation: Denial of receipt of message by destination Fall 2018 CS 334: Computer Security 4

  5. Message Encryption? • Does message encryption by itself also provides a measure of integrity and/or authentication? • After all, if symmetric encryption is used then it appears that: – receiver knows sender must have created it, since only sender and receiver know key used – know content cannot have been altered if message has suitable structure, redundancy, or a checksum to detect any changes • Answer: NO! Message encryption does not by itself provide either integrity or authentication. Fall 2018 CS 334: Computer Security 5

  6. Encryption does not provide authentication or integrity • It is often the case that a cryptographic key is shared by more than two parties, in which case authentication is out the window • Regarding integrity, the amount of damage (i.e., changes to the original plaintext) an adversary can inflict depends on the type of encryption as well as the mode of operation. • Ex. Stream ciphers allow an attacker to flip bits anywhere in the message – Person-in-the-middle can change ciphertext C = P ⨁ R to C ′ , which decrypts to C ′ ⨁ R – Can’t control what P is because they don’t know R, but can nevertheless change it! Fall 2018 CS 334: Computer Security 6

  7. Encryption does not provide authentication or integrity • It’s not just stream ciphers. Consider AES-CBC Example thanks to StackExchange Fall 2018 CS 334: Computer Security 7

  8. Encryption does not provide authentication or integrity • Note that if plaintext is longer than one block, first block can still be changed (at the cost of creating garbage for the remaining plaintext blocks, which may or may not be detected). • Authenticated encryption schemes solve this • AES-CBC is not one of them • In general, encryption without authentication/integrity is one of the most common mistakes in the use of cryptography – Serious vulnerabilities have resulted, including ASP.NET, XML encryption, Amazon EC2, JavaServer Faces, Ruby on Rails, OWASP ESAPI, IPSEC, and WEP. – See e.g., https://security.stackexchange.com/questions/2202/ lessons-learned-and-misconceptions-regarding-encryption- and-cryptology/2206#2206 Fall 2018 CS 334: Computer Security 8

  9. Message Encryption • if public-key encryption is used: – encryption provides no confidence of sender, since anyone potentially knows public-key – however if • sender signs message using their private-key • then encrypts with recipients public key • have both secrecy and authentication – again need to recognize corrupted messages – but at cost of two public-key uses on message Fall 2018 CS 334: Computer Security 9

  10. Fall 2018 CS 334: Computer Security 10

  11. Fall 2018 CS 334: Computer Security 11

  12. Message Authentication Code (MAC) • The answer to recognition of bad messages lies in creating a known structure somewhere in the message. This is part of the idea behind MACs • generated by an algorithm that creates a small fixed- sized block – depending on both message and some key – like encryption, BUT need not be reversible • appended to message as a signature • receiver performs same computation on message and checks it matches the MAC • provides assurance that message is unaltered and comes from sender Fall 2018 CS 334: Computer Security 12

  13. Message Authentication Code Fall 2018 CS 334: Computer Security 13

  14. Fall 2018 CS 334: Computer Security 14

  15. Message Authentication Codes • MAC does not provide secrecy • If using MAC with symmetric cipher: – generally use separate keys for each – can compute MAC either before or after encryption – is generally regarded as better done before (maybe) • Consider, e.g., malleability • why use a MAC? – sometimes only authentication is needed – sometimes need authentication to persist longer than the encryption (eg. archival use) • note that a MAC is not a digital signature – That is, the sender can still deny having sent the message Fall 2018 CS 334: Computer Security 15

  16. MAC Properties • a MAC is a cryptographic checksum MAC = C K (M) – condenses a variable-length message M – using a secret key K – to a fixed-sized authenticator • is a many-to-one function – potentially many messages have same MAC – but (obviously) finding these needs to be very difficult Fall 2018 CS 334: Computer Security 16

  17. Requirements for MACs Knowing a message and MAC, it is infeasible to find • another message with the same MAC • MACs should be uniformly distributed (among the space of possible MACs) • MAC should depend equally on all bits of the message Fall 2018 CS 334: Computer Security 17

  18. Hash Functions • condenses arbitrary message to fixed size • usually assume that the hash function is public and not keyed —this is the difference between a hash function and a MAC (the lack of key) • hash used to detect changes to message • can use in various ways with message • most often to create a digital signature Fall 2018 CS 334: Computer Security 18

  19. Hash Functions & Digital Signatures Fall 2018 CS 334: Computer Security 19

  20. Fall 2018 CS 334: Computer Security 20

  21. Fall 2018 CS 334: Computer Security 21

  22. Hash Function Properties • a Hash Function produces a fingerprint of some file/ message/data h = H(M) – condenses a variable-length message M – to a fixed-sized fingerprint • assumed to be public Fall 2018 CS 334: Computer Security 22

  23. Requirements for Hash Functions can be applied to any sized message M 1. produces fixed-length output h 2. is easy to compute h=H(M) for any message M 3. given h is infeasible to find x s.t. H(x)=h 4. • one-way property given x is infeasible to find y s.t . H(y)=H(x) 5. weak collision resistance • is infeasible to find any x,y s.t . H(y)=H(x) 6. • strong collision resistance Fall 2018 CS 334: Computer Security 23

  24. Birthday Attacks • might think a 64-bit hash is secure • but by Birthday Paradox is not • birthday attack works thus: m/2 variations of a valid message all with – opponent generates 2 essentially the same meaning (m is length of hash) m/2 variations of a desired – opponent also generates 2 fraudulent message – two sets of messages are compared to find pair with same hash (probability > 0.5 by birthday paradox) – have user sign the valid message, then substitute the forgery which will have a valid signature • conclusion is that need to use larger hashes Fall 2018 CS 334: Computer Security 24

  25. Birthday Paradox • Classic probability problem that demonstrates that probability results often nonintuitive • The problem: Given a room with k people, what is the probability that two of them have the same birthday (same month and day, assume no twins, etc) • We seek P ( n , k ) Pr[ at least one duplicate in k items, = with each item able to take on one of n equally likely val ues between 1 and n ] We want P(365,k) Fall 2018 CS 334: Computer Security 25

  26. We start by computing Q Pr[ no matches], so P 1 -Q . = = First, number of ways of choosing k objects from group of 365 with no repeats : 365 ! K N 365 364 363 ( 365 k 1 ) = × × × × − + = ( 365 k )! − k If we allow repeats, then ther e are 365 possibilit ies. So, probabilit y of no repeats is 365 ! 365 ! ( 365 k )! − Q ( 365 , k ) = = k k 365 ( 365 k )! 365 − 365 ! Thus, P ( 365 , k ) 1 Q ( 365 , k ) 1 = − = − k ( 365 k )! 365 − Fall 2018 CS 334: Computer Security 26

  27. Graph of P(365,k) Fall 2018 CS 334: Computer Security 27

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE

CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE

CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE WILLIAMSBURG, VA THURSDAY, OCTOBER 17 TH , 2019 JOHN KELLY, PE IOWA DEPARTMENT OF PUBLIC HEALTH DISCLAIMER THIS PRESENTATION: IS INTENDED FOR

843 views • 40 slides
Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Bart Jacobs

Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Bart Jacobs

Crypto intro Crypto intro Symmetric crypto Symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen Achieving security goals with symmetric crypto Radboud University Nijmegen e-Passport example

269 views • 7 slides
Crypto Conclusion Message Authentication Codes Key Management Fall 2012 CS 334: Computer

Crypto Conclusion Message Authentication Codes Key Management Fall 2012 CS 334: Computer

Crypto Conclusion Message Authentication Codes Key Management Fall 2012 CS 334: Computer Security 1 Message Authentication message authentication is concerned with: protecting the integrity of a message Confirming identity of

982 views • 46 slides
Cryptography for Software and Web Developers Part 5: Dont believe the crypto hype Hanno B

Cryptography for Software and Web Developers Part 5: Dont believe the crypto hype Hanno B

Snake Oil Nationalism Conclusion Cryptography for Software and Web Developers Part 5: Dont believe the crypto hype Hanno B ock 2014-05-28 1 / 10 New fancy crypto tool Snake Oil Example Telegram Nationalism Example Threema

670 views • 11 slides
- The First Crypto Merchant - Crypto Payment Crypto Payment for online shops for retail shops

- The First Crypto Merchant - Crypto Payment Crypto Payment for online shops for retail shops

- The First Crypto Merchant - Crypto Payment Crypto Payment for online shops for retail shops Did you know? Our payment system has ZERO FEES for processing payments How it works? It takes only a few minutes to complete Merchant Initiate

269 views • 11 slides
Javascript Crypto & The Case Against Crypto Reductionism Ben Adida Mozilla Workshop on

Javascript Crypto & The Case Against Crypto Reductionism Ben Adida Mozilla Workshop on

Javascript Crypto & The Case Against Crypto Reductionism Ben Adida Mozilla Workshop on Real-World Crypto January 2013 promote openness, innovation & opportunity on the Web. previously easy to deploy easy to use privacy

610 views • 22 slides
Cryptanalysis of WIDEA Conclusion Hash collisions Key recovery Truncated differential FSE 2013

Cryptanalysis of WIDEA Conclusion Hash collisions Key recovery Truncated differential FSE 2013

Introduction 1/24 Gatan Leurent Cryptanalysis of WIDEA Conclusion Hash collisions Key recovery Truncated differential FSE 2013 UCL Crypto Group FSE 2013 Cryptanalysis of WIDEA G. Leurent Microelectronics Laboratory UCL Crypto Group

617 views • 32 slides
Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Achieving security

Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Achieving security

Crypto intro Crypto intro Symmetric crypto Symmetric crypto Achieving security goals with symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen Radboud University Nijmegen e-Passport example

1.11k views • 12 slides
Computer Security: Secret Key Crypto B. Jacobs Institute for Computing and Information Sciences

Computer Security: Secret Key Crypto B. Jacobs Institute for Computing and Information Sciences

Crypto intro Symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen e-Passport example Encryption: modes of operation Computer Security: Secret Key Crypto B. Jacobs Institute for Computing and Information

856 views • 73 slides
Outline Public key crypto RSA Essentials Computer Security: Public Key Crypto Public Key Crypto

Outline Public key crypto RSA Essentials Computer Security: Public Key Crypto Public Key Crypto

Public key crypto Public key crypto RSA Essentials RSA Essentials Public Key Crypto in Java Public Key Crypto in Java Radboud University Nijmegen Radboud University Nijmegen Public key protocols Public key protocols Diffie-Hellman and El

448 views • 16 slides
w w w . a d i t u s . n e t Crypto-currencies have created a new class of a ffl uent individuals

w w w . a d i t u s . n e t Crypto-currencies have created a new class of a ffl uent individuals

Aditus Luxury Access Platform for Crypto A ffl uents Presentation 21 Nov 2017 w w w . a d i t u s . n e t Crypto-currencies have created a new class of a ffl uent individuals Crypto-currency values have been the best performing asset class

206 views • 19 slides
Algorithms, cryptography and protocols DONT EVER ROLL YOUR OWN PROTOCOL, CRYPTO ALGO, CRYPTO

Algorithms, cryptography and protocols DONT EVER ROLL YOUR OWN PROTOCOL, CRYPTO ALGO, CRYPTO

Algorithms, cryptography and protocols DONT EVER ROLL YOUR OWN PROTOCOL, CRYPTO ALGO, CRYPTO Use this space to add an image. IMPLEMENTATION, OR CRYPTO RNG Insert an image and change the scale to cover this box. ALSO, KEY MANAGEMENT IS

1.01k views • 81 slides
19 big enough? What marketing says Generate public keys 56-bit crypto: Broken. on a

19 big enough? What marketing says Generate public keys 56-bit crypto: Broken. on a

Is 2 255 19 big enough? What marketing says Generate public keys 56-bit crypto: Broken. on a strong elliptic curve 128-bit crypto: Okay. over the field Z (2 255 19). 256-bit crypto: High security! Is that safe? 512-bit

121 views • 11 slides
Cryptanalysis of C2 Julia Borghoff , Lars R. Knudsen, Gregor Leander, Krystian Matusiewicz CRYPTO

Cryptanalysis of C2 Julia Borghoff , Lars R. Knudsen, Gregor Leander, Krystian Matusiewicz CRYPTO

Outline C2 - description Attack scenarios Conclusion Cryptanalysis of C2 Julia Borghoff , Lars R. Knudsen, Gregor Leander, Krystian Matusiewicz CRYPTO 2009 1 / 19 Outline C2 - description Attack scenarios Conclusion C2 - description 1

979 views • 36 slides
Ethereum and the crypto landscape Different Crypto Value Propositions Name Payment Platform

Ethereum and the crypto landscape Different Crypto Value Propositions Name Payment Platform

Ethereum and the crypto landscape Different Crypto Value Propositions Name Payment Platform Stable Coin Dapps Sum $ Bitcoin 154.00 $ Ethereum 29.00 $ XRP 18.70 $ BCH 7.70 $ EOS 7.20 $ LiteCoin 7.00 $ BNB 4.70 $ Tether

160 views • 12 slides
Getting Post-Quantum Crypto Algorithms Ready for Deployment End of ECRYPT II Event: Crypto for

Getting Post-Quantum Crypto Algorithms Ready for Deployment End of ECRYPT II Event: Crypto for

Getting Post-Quantum Crypto Algorithms Ready for Deployment End of ECRYPT II Event: Crypto for 2020 Tim Gneysu Hardware Security Group Horst Grtz Institute for IT-Security, Bochum 1/24/2013 Outline Introduction Alternative Public-Key

735 views • 55 slides
General Terms Cryptography Cryptology Cryptanalysis

General Terms Cryptography Cryptology Cryptanalysis

159 views • 3 slides
MD5 To Be Considered Harmful (Someday) Dan Kaminsky Basics MD5: Hashing algorithm

MD5 To Be Considered Harmful (Someday) Dan Kaminsky Basics MD5: Hashing algorithm

MD5 To Be Considered Harmful (Someday) Dan Kaminsky Basics MD5: Hashing algorithm Fingerprint of data easy to synthesize (push here), hard to fake (grow this) Known since 1997 it was theoretically not so hard to create

573 views • 35 slides
Has Hash h Fu Func nction tions Instructor: Ahmad Boorghany Most of the slides are obtained

Has Hash h Fu Func nction tions Instructor: Ahmad Boorghany Most of the slides are obtained

Data and Network Security Lab Sharif University of Technology Department of Computer Engineering Has Hash h Fu Func nction tions Instructor: Ahmad Boorghany Most of the slides are obtained from Bellare and Rogaways Introduction to

554 views • 43 slides
Security II: Cryptography Markus Kuhn Computer Laboratory, University of Cambridge

Security II: Cryptography Markus Kuhn Computer Laboratory, University of Cambridge

Security II: Cryptography Markus Kuhn Computer Laboratory, University of Cambridge https://www.cl.cam.ac.uk/teaching/1516/SecurityII/ Lent 2016 Part II 1 Related textbooks Main reference: Jonathan Katz, Yehuda Lindell: Introduction

1.87k views • 154 slides
Digital Signature And Hash Function

Digital Signature And Hash Function

Digital Signature And Hash Function 1 Electronic Signature Electronic Signature El Electronic Signature t i Si t Digital Signature Biometric Signature

894 views • 52 slides
Some Project Ideas Read & Write something Constructions not covered in class (e.g., McEliece

Some Project Ideas Read & Write something Constructions not covered in class (e.g., McEliece

Some Project Ideas Read & Write something Constructions not covered in class (e.g., McEliece PKE, lattice- based PKE), primitives not covered (e.g., Zero-Knowledge, Oblivious Transfer), proofs not covered (e.g., security of TLS),

411 views • 13 slides
Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms

Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms

Introduction Hash-based MACs State recovery Universal forgery Key-recovery Conclusion Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 1 / 59 Gatan Leurent Inria Rocquencourt,

1.71k views • 102 slides
Cryptography Engineering and Cryptocurrency Yongdae Kim Definition A

Cryptography Engineering and Cryptocurrency Yongdae Kim Definition A

EE817/IS 893 Cryptography Engineering and Cryptocurrency Yongdae Kim Definition A hash function is a function h compression h maps an input x of arbitrary finite bitlength, to an output h(x) of fixed bitlength

862 views • 70 slides

More recommend