lecture 7 authentication
play

Lecture 7: Authentication Helger Lipmaa Helsinki University of - PowerPoint PPT Presentation

Jul 25, 2023 •367 likes •904 views

T-79.159 Cryptography and Data Security Lecture 7: Authentication Helger Lipmaa Helsinki University of Technology helger@tcs.hut.fi T-79.159 Cryptography and Data Security, 10.03.2004 Lecture 7: Authentication, Helger Lipmaa 1 Recap

  1. T-79.159 Cryptography and Data Security Lecture 7: Authentication Helger Lipmaa Helsinki University of Technology helger@tcs.hut.fi T-79.159 Cryptography and Data Security, 10.03.2004 Lecture 7: Authentication, Helger Lipmaa 1

  2. Recap • Until now, we talked about confidentiality : how to keep data secret • Two long-known problems with the secret key cryptography: ⋆ Key distribution: Diffie-Hellman and derivatives ⋆ Authentication: topic of today’s talk T-79.159 Cryptography and Data Security, 10.03.2004 Lecture 7: Authentication, Helger Lipmaa 2

  3. How to prove that you are who you are? • Prove that you own something ⋆ Classically: passport, driver license, key • Prove that you know something ⋆ Classically: password • Prove that you are something ⋆ Semi-classically: biometrics, picture T-79.159 Cryptography and Data Security, 10.03.2004 Lecture 7: Authentication, Helger Lipmaa 3

  4. Cryptographic approach • Proving that you are something almost impossible ⋆ Biometrics is often deceiving ⋆ How to do it by email? • Proving that you own something: OK, but own what? ⋆ Own a book with passwords? This is then proving that you know something (passwords!) ⋆ How to do it by email? • Proving knowledge : this is cryptographic approach T-79.159 Cryptography and Data Security, 10.03.2004 Lecture 7: Authentication, Helger Lipmaa 4

  5. Major Concept: Proofs of knowledge • Intuition: you “are” P if you know her secret key • You prove the knowledge of this secret to the verifier • All possible verifiers V know the public key, and can verify the proof, based on that T-79.159 Cryptography and Data Security, 10.03.2004 Lecture 7: Authentication, Helger Lipmaa 5

  6. Proofs of Knowledge: Security Criteria • Criterion 1 (correctness):  1 − ε , P knows secret  Pr[ V accepts P ’s proof ] = ε , P does not know secret .  ε is “small” • Criterion 2 (privacy): ⋆ After (possibly many) interactions with a prover, V should not be able to pose as P to the third parties T-79.159 Cryptography and Data Security, 10.03.2004 Lecture 7: Authentication, Helger Lipmaa 6

  7. Identification vs Authentication Identification: You identify yourself as Peggy P , by proving you know her secret. Verifier V must not be able to replay your role with some other verifier ( non-transferability ) Authentication: You bind some data to yourself, so that the verifier can later prove to others that this document was authenticated by you (you cannot repudiate signing: non-repudiation ). Non-repudiation � = Non-transferability! • MACs: non-transferability, no non-repudiation T-79.159 Cryptography and Data Security, 10.03.2004 Lecture 7: Authentication, Helger Lipmaa 7

  8. Signatures: shortly • You must authenticate some data m as coming from you ⋆ Everybody can verify that the data is from you • Important example: data = legal documents ⋆ Signature must be binding ⋆ You may get sued based on your signature. Several countries have digital signature laws T-79.159 Cryptography and Data Security, 10.03.2004 Lecture 7: Authentication, Helger Lipmaa 8

  9. Signatures: shortly • Signing : a mathematical function of the data m and Alice’s secret key secret sk A , s = sign ( sk A , m ) • Verification : function that accepts if s was signed by Alice: s = sign ( sk A , m ) if and only if ver ( pk A , m, s ) = 1 • Initial idea (1975–1980): For a public key cryptosystem, use its secret key for signing and the public key for verification T-79.159 Cryptography and Data Security, 10.03.2004 Lecture 7: Authentication, Helger Lipmaa 9

  10. “Vanilla” RSA Signature Scheme • Public key: ( e, n ) , n = pq , where p , q are large primes and e is a public exponent • Secret key: ( p, q, d ) , where d is the secret exponent • Signing m : s = m d mod n • Verification: Check whether m = ? s e mod n • Not secure: m d 1 · m d 2 = ( m 1 m 2 ) d T-79.159 Cryptography and Data Security, 10.03.2004 Lecture 7: Authentication, Helger Lipmaa 10

  11. Identification protocols: idea (1/2) • A proves her identity to B • A must know the secret, it is not sufficient if she replays an old session ⋆ Cannot be achieved if B ’s actions are deterministic • B must not be able to replay the protocol to C by taking A ’s role ⋆ Cannot be achieved if A ’s actions are deterministic • Thus, an identification protocol must include some randomness from both A and B T-79.159 Cryptography and Data Security, 10.03.2004 Lecture 7: Authentication, Helger Lipmaa 11

  12. Identification protocols: idea (2/2) • To have mutual randomness, A (resp. B ) must send a message that depends on B ’s (resp. A ’s) random coins • General idea, challenge-response: ⋆ A sends a random-looking element to B , ⋆ B challenges A with a random message, ⋆ A responds with a message that shows that she knows the secret • Thus, both randomness and interactivity are needed T-79.159 Cryptography and Data Security, 10.03.2004 Lecture 7: Authentication, Helger Lipmaa 12

  13. Randomness and interactivity Very important: randomness and interactivity are needed to achieve many cryptographic goals! Signing Encryption Identification No ∗ Randomness Yes Yes Interactivity No No Yes ∗ Many signature schemes still use randomness (only in a very few set- tings it is known how to make deterministic and yet secure signature schemes) T-79.159 Cryptography and Data Security, 10.03.2004 Lecture 7: Authentication, Helger Lipmaa 13

  14. Identification Protocols: Usage Scenarios • Smart doors: use smart-card to get in • ATM: identify yourself as a legal customer • Different websites, e-banking Common problem : must avoid re-execution of the protocol by somebody else T-79.159 Cryptography and Data Security, 10.03.2004 Lecture 7: Authentication, Helger Lipmaa 14

  15. 3-round Proofs of Knowledge: History • The first known three-move (challenge-response) proof of knowledge is by Fiat and Shamir (based on the difficulty of factoring) • . . . extended later by Fiat, Feige and Shamir (1988) and finally by Feige and Shamir (1990) that defined the notion of “witness hiding”. • Other desirable objectives of identification protocols are: special honest-verifier zero-knowledge, collision intractability, proofs of knowl- edge, special soundness. A witness hiding proof of knowledge can be used as a secure identification scheme. T-79.159 Cryptography and Data Security, 10.03.2004 Lecture 7: Authentication, Helger Lipmaa 15

  16. Notation • If A is an algorithm, then the notation a ← A ( b ) refers to the computation of the output “ a ”, on input bit string “ b ”. • For a set V , v ← V denotes uniform and random selection of an element v from V . • Red variables are known only to A . Blue variables are known only to B , green variables are known to both from the start of the protocol T-79.159 Cryptography and Data Security, 10.03.2004 Lecture 7: Authentication, Helger Lipmaa 16

  17. Faulty First Idea for Protocol • Use RSA-based authentication, where w ( witness ) is the secret key of A and e is the corresponding public key, and c is a random challenge: A B c ← { 0 , 1 } ∗ c z ← c w mod n z ? = z e mod n c This prevents A from replaying the protocol. Still bad. Why? T-79.159 Cryptography and Data Security, 10.03.2004 Lecture 7: Authentication, Helger Lipmaa 17

  18. Faulty First Idea for Protocol • Use RSA-based authentication, where w ( witness ) is the secret key of A and e is the corresponding public key, and c is a random challenge: A B c ← { 0 , 1 } ∗ c z ← c w mod n z ? = z e mod n c Weakness: the signed texts are chosen solely by B , and this may allow the verifier ( B ) to mount chosen-text attacks. T-79.159 Cryptography and Data Security, 10.03.2004 Lecture 7: Authentication, Helger Lipmaa 18

  19. Σ -Protocols. General Setting • Σ -protocol is a three-move protocol between two parties, “prover” A and “verifier” B , where the prover acts first. • The prover and verifier are modelled as probabilistic polynomial time interactive Turing machines (“efficient algorithms”). • Furthermore, a honest verifier is expected to send only uniformly and randomly chosen bits. • Such protocol is denoted by ( A, B ) . T-79.159 Cryptography and Data Security, 10.03.2004 Lecture 7: Authentication, Helger Lipmaa 19

  20. Σ -Protocols. Example • Secret key is w , public key is v = g w • There is a relation R between w and v : ⇒ v = g w R ( v, w ) = 1 ⇐ • We need a Σ -protocol for proving that A knows w , s.t. R ( v, w ) = 1 , that is, such that g w = v T-79.159 Cryptography and Data Security, 10.03.2004 Lecture 7: Authentication, Helger Lipmaa 20

  21. Σ -Protocols. Inputs (1/2) • Both principals know v (the public key of A ) • Only A knows w (the secret key / witness of A ) • R A [resp R B ] is the random secret input of A [resp B ]. ⋆ Recall that randomness was necessary T-79.159 Cryptography and Data Security, 10.03.2004 Lecture 7: Authentication, Helger Lipmaa 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Outline Introduction Authentication Basic authentication mechanisms CS 239

Outline Introduction Authentication Basic authentication mechanisms CS 239

Outline Introduction Authentication Basic authentication mechanisms CS 239 Authentication on a single machine Computer Security Authentication across a network February 21, 2007 Lecture 9 Lecture 9 Page 1 Page 2 CS 236,

302 views • 8 slides
Lecture 14 Passwords and Authentication Stephen Checkoway University of Illinois at Chicago

Lecture 14 Passwords and Authentication Stephen Checkoway University of Illinois at Chicago

Lecture 14 Passwords and Authentication Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Baileys ECE 422 Major Portions Courtesy Ryan Cunningham AUTHENTICATION Authentication Basics

653 views • 42 slides
Lecture 11 Authentication 1 Where are we now? We know a bit of the following:

Lecture 11 Authentication 1 Where are we now? We know a bit of the following:

Lecture 11 Authentication 1 Where are we now? We know a bit of the following: Conventional cryptography Hash functions and MACs Public key cryptography Encryption Signatures Identification (Fiat-Shamir) + Zero

213 views • 9 slides
AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

SECURITY TOPICS PART 2 AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is who they say they are and therefore permitted to access the requested resources: getting entrance to a computer lab

833 views • 44 slides
Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II 2016-01-29 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for lecture I within this part of the course Background Authentication eID

683 views • 44 slides
Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II 2019-02-08 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for lecture I within this part of the course Background Authentication eID

1.19k views • 102 slides
Message Authentication Codes Digital Signatures Lecture 11 Shafi Goldwasser Authentication

Message Authentication Codes Digital Signatures Lecture 11 Shafi Goldwasser Authentication

Message Authentication Codes Digital Signatures Lecture 11 Shafi Goldwasser Authentication Problem Bob Alice k k message M Eve is Active: Can alter messages Can insert new messages Authentication Problem Secrecy is not the only

553 views • 37 slides
HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the process of verifying the identity of the communicating principals to one another Usually sub-divided into Entity authentication Authentication

288 views • 10 slides
Lecture 9 Authentication & Key Distribution 1 Where are we now? We know a bit of

Lecture 9 Authentication & Key Distribution 1 Where are we now? We know a bit of

Lecture 9 Authentication & Key Distribution 1 Where are we now? We know a bit of the following: Conventional (symmetric) cryptography Hash functions and MACs Public key (asymmetric) cryptography Encryption

490 views • 33 slides
Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a precondition How to authenticate: Something you know Password, Secrets Something you have Smart Card, Token Something you are Biometrie

607 views • 4 slides
Security building blocks: authentication Markus Peuhkuri 2005-03-01 Lecture topics

Security building blocks: authentication Markus Peuhkuri 2005-03-01 Lecture topics

Security building blocks: authentication Markus Peuhkuri 2005-03-01 Lecture topics Authentication Different methods to authenticate Caveats in authentication How one

242 views • 7 slides
Information Security Identification and authentication Advanced User Authentication II and III

Information Security Identification and authentication Advanced User Authentication II and III

Information Security Identification and authentication Advanced User Authentication II and III (somewhat abbreviated ) 2018-02-09 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for lecture I within this part of the course Background

1.24k views • 106 slides
CS 356 Lecture 5 User Authentication Spring 2013 Review Chapter 1: Basic Concepts and

CS 356 Lecture 5 User Authentication Spring 2013 Review Chapter 1: Basic Concepts and

CS 356 Lecture 5 User Authentication Spring 2013 Review Chapter 1: Basic Concepts and Terminology Integrity, Confidentiality, Availability, Authentication, and Accountability Types of threats: active vs. passive,

449 views • 24 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

613 views • 27 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

1.66k views • 27 slides
Information Security Identification and authentication Advanced User Authentication III

Information Security Identification and authentication Advanced User Authentication III

Information Security Identification and authentication Advanced User Authentication III 2016-02-02 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for lecture II within this part of the course Background Statistics Statistics in user

1.49k views • 70 slides
CyLab A Case Study on the Role of Usability Studies in Developing Public Engineering

CyLab A Case Study on the Role of Usability Studies in Developing Public Engineering

CyLab A Case Study on the Role of Usability Studies in Developing Public Engineering & Policy Public Policy Rebecca Balebako, Richard Shay, Lorrie Faith Cranor y & c S a e v c i u r P r i t e y l b L a a s

708 views • 37 slides
Section 7: Lab 2 & Authentication CSE 484 / CSE M 584 Administrivia May 15 th May 25 th

Section 7: Lab 2 & Authentication CSE 484 / CSE M 584 Administrivia May 15 th May 25 th

Section 7: Lab 2 & Authentication CSE 484 / CSE M 584 Administrivia May 15 th May 25 th Final Project Checkpoint 1 Due @ Memorial Day: No Lecture 11:59pm Lab 2 Due @ 11:59pm Homework 3 Due @ 11:59pm May 22 nd May 29 th More Lab 2 Hints

868 views • 33 slides
Secure Face Matching Using Fully Homomorphic Encryption Vishnu Boddeti Michigan State University

Secure Face Matching Using Fully Homomorphic Encryption Vishnu Boddeti Michigan State University

Secure Face Matching Using Fully Homomorphic Encryption Vishnu Boddeti Michigan State University October 23rd, 2018 []$ [1/1] >>> Face Representation and Matching * Face Representation: Alignment Embedding Function Representation

1.19k views • 55 slides
Helper data schemes for privacy-preserving biometrics Boris kori TU Eindhoven van der

Helper data schemes for privacy-preserving biometrics Boris kori TU Eindhoven van der

Helper data schemes for privacy-preserving biometrics Boris kori TU Eindhoven van der Meulen seminar Leuven, December 2011 1 Outline Security with noisy data - biometrics & privacy - Physical Unclonable Functions (PUFs)

828 views • 39 slides
Next Generation Border Crossing ePassports and their Impact on Border Control Gregor Kltzsch |

Next Generation Border Crossing ePassports and their Impact on Border Control Gregor Kltzsch |

Next Generation Border Crossing ePassports and their Impact on Border Control Gregor Kltzsch | Bundesdruckerei GmbH | Berlin Contents Trends Status quo ePassports Impact on border control Future border control requirements and

621 views • 16 slides
Making decisions with biometric systems: the usefulness of a Bayesian perspective A. Nautsch ,

Making decisions with biometric systems: the usefulness of a Bayesian perspective A. Nautsch ,

Making decisions with biometric systems: the usefulness of a Bayesian perspective A. Nautsch , D. Ramos Castro , J. Gonz guez , alez Rodr Christian Rathgeb , Christoph Busch Hochschule Darmstadt, CRISP, CASED, da/sec

1.24k views • 57 slides
Application of Blockchains to Patient-Centered Health Records Adrian Gropper, MD CTO, Patient

Application of Blockchains to Patient-Centered Health Records Adrian Gropper, MD CTO, Patient

Application of Blockchains to Patient-Centered Health Records Adrian Gropper, MD CTO, Patient Privacy Rights McCombs School of Business Healthcare Initiative April 7, 2017 1 Patient Physician Health Record 2 Community Service Research

416 views • 15 slides
Authentication CS461/ECE422 1 Reading Chapter 10 from Handbook of Applied Cryptography

Authentication CS461/ECE422 1 Reading Chapter 10 from Handbook of Applied Cryptography

Authentication CS461/ECE422 1 Reading Chapter 10 from Handbook of Applied Cryptography http://www.cacr.math.uwaterloo.ca/hac/ about/chap10.pdf 2 Overview Basics of an authentication system Passwords Storage Selection

410 views • 38 slides

More recommend