lecture outline
play

Lecture Outline Review of Diffie-Hellman key exchange Looking at - PowerPoint PPT Presentation

Nov 11, 2022 •325 likes •1.07k views

Lecture Outline Review of Diffie-Hellman key exchange Looking at Authentication from a number of perspectives Today: authenticating users, services Agreeing on Secret Keys Without Prior Arrangement Diffie-Hellman Key Exchange

  1. Lecture Outline • Review of Diffie-Hellman key exchange • Looking at Authentication from a number of perspectives – Today: authenticating users, services

  2. Agreeing on Secret Keys Without Prior Arrangement

  3. Diffie-Hellman Key Exchange • While we have powerful symmetric-key technology, it requires Alice & Bob to agree on a secret key ahead of time • What if instead they can somehow generate such a key when needed ? • Seems impossible in the presence of Eve observing all of their communication … – How can they exchange a key without her learning it? • But: actually is possible using public-key technology – Requires that Alice & Bob know that their messages will reach one another without any meddling – So works for Eve-the-eavesdropper, but not Mallory-the-MITM – Protocol: Diffie-Hellman Key Exchange (DHE)

  4. Diffie-Hellman p, g Key Exchange p, g p, g Eve Alice Bob 1. Everyone agrees in advance on a well-known (large) prime p and a corresponding g : 1 < g < p-1

  5. Diffie-Hellman p, g a? b? Key Exchange p, g p, g Eve b a Alice Bob 2. Alice picks random secret ‘ a ’: 1 < a < p-1 3. Bob picks random secret ‘ b ’: 1 < b < p-1

  6. Diffie-Hellman p, g a? b? Key Exchange A B p, g p, g Eve b a Alice Bob A = g a mod p A g b mod p = B B 4. Alice sends A = g a mod p to Bob 5. Bob sends B = g b mod p to Alice Eve sees these

  7. Diffie-Hellman p, g a? b? Key Exchange A B p, g p, g Eve b a K K Alice Bob A = g a mod p A A B g b mod p = B B 6. Alice knows {a, A, B}, computes K = B a mod p = (g b ) a = g ba mod p 7. Bob knows {b, A, B}, computes K = A b mod p = (g a ) b = g ab mod p 8. K is now the shared secret key.

  8. Diffie-Hellman p, g a? b? Key Exchange A K? B p, g p, g Eve b a K K Alice Bob A = g a mod p A A B g b mod p = B B While Eve knows {p, g, g a mod p, g b mod p}, believed to be computationally infeasible for her to then deduce K = g ab mod p. She can easily construct A·B = g a ·g b mod p = g a+b mod p. But computing g ab requires ability to take discrete logarithms mod p.

  9. Attack on DHE p, g p, g p, g Mallory Alice Bob What happens if instead of Eve watching, Alice & Bob face the threat of a hidden Mallory (MITM)?

  10. Attack on DHE p, g p, g p, g Mallory Alice Bob What happens if instead of Eve watching, Alice & Bob face the threat of a hidden Mallory (MITM)?

  11. Attack on DHE p, g a? b? p, g p, g Mallory b a Alice Bob 2. Alice picks random secret ‘ a ’: 1 < a < p-1 3. Bob picks random secret ‘ b ’: 1 < b < p-1

  12. Attack on DHE p, g a? b? A p, g p, g Mallory b a Alice Bob A = g a mod p A 4. Alice sends A = g a mod p to Bob 5. Mallory prevents Bob from receiving A

  13. Attack on DHE p, g a? b? A, A' a', b' p, g p, g Mallory b a Alice Bob A' = g a' mod p A' A = g a mod p A 6. Mallory generates her own a', b' 7. Mallory sends A' = g a' mod p to Bob

  14. Attack on DHE p, g a? b? A, A' a', b' p, g p, g Mallory b a Alice Bob A' = g a' mod p A' A = g a mod p A A' g b mod p = B B 8. The same happens for Bob and B/B'

  15. Attack on DHE p, g a? b? A, B, A', B' a', b' p, g p, g Mallory b a Alice Bob A' = g a' mod p A' A = g a mod p B’ = g b' mod p A B' A' g b mod p = B B 8. The same happens for Bob and B/B'

  16. Attack on DHE p, g a? b? A, B, A', B' a', b' p, g p, g Mallory b a Alice Bob A' = g a' mod p A' A = g a mod p B' = g b' mod p A A' K' 1 = A b' mod p = g ab' mod p B' g b mod p = B B K' 2 = B a' mod p = g ba' mod p K' 1 = (B') a mod p K' 2 = (A') b mod p = (g b' ) a = g b'a mod p = (g a' ) b = g a'b mod p 9. Alice and Bob now compute keys they share with … Mallory! 10. Mallory can relay encrypted traffic between the two ... 10'. Modifying it or making stuff up however she wishes

  17. Questions?

  18. Thinking about Authentication • Fundamental issue for networking: – Parties only connected by untrustworthy medium • Broad & evolving topic • Goal: develop a sense for authentication paradigms & issues – Including weaker forms • Will include some review • Will skip some (much) state-of-the-art

  19. Thinking about Authentication, con’t • Spectrum: – Which user (human) am I dealing with? – Which server (institution) am I dealing with? – What attributes does this party have? • Affiliation, human-or-program, country, … – Is this the same entity as before? • A springboard for discussion: Let’s start with very basic circa 1990s web authentication …

  20. C → S: GET http://mybank.com/ S → C: page, including a login form C → S: POST http://mybank.com/login? u= USER &p= PASSWD [ server marks this session as authenticated ] S → C: Set-Cookie: sessionid= NONCE (Cookie is an “authenticator” for session) C → S: GET http://mybank.com/moneyxfer.cgi Cookie: sessionid= NONCE

  21. Threats? • No encryption: can know password, username, cookie • MITM can manipulate cookies, migrate user associated with activity • Weak passwords • Reused passwords

  22. Threats? • Sniffing, MITM (network; app-level relay) ⇒ Theft of password and/or authenticator • 3 rd -party manipulation of automation – E.g. CSRF (browser fetching of images) – E.g. XSS (browser execution of JS replies) • Password security – Blind guessing / bruteforcing – Reuse (breaches) – Phishing • Compromised client: hijacking

  23. Passwords • Issues? • Ways to make them better?

  24. SoK = Systemization of Knowledge

  25. https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-817.pdf

  26. User doesn’t have to memorize anything (weaker: just 1 secret) https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-817.pdf

  27. Cognitively practical for user having many accounts https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-817.pdf

  28. No physical object (weaker: you carry it anyway) https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-817.pdf

  29. No user action required (weaker: user speaks) https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-817.pdf

  30. (E.g.: not a do-crypto- in-your-head scheme) https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-817.pdf

  31. Doesn’t require much user time; new associations aren’t burdensome https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-817.pdf

  32. Won’t frustrate legit users https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-817.pdf

  33. Recovery is quick, low-hassle, assured https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-817.pdf

  34. Works for users w/ physical disabilities/conditions https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-817.pdf

  35. E.g.: plausible for startups to use https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-817.pdf

  36. Can look like “incumbent” to servers https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-817.pdf

  37. Just requires HTML5/JS; weaker: very common plugins https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-817.pdf

  38. Not just a research prototype/toy https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-817.pdf

  39. No licensing/$ required https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-817.pdf

  40. Requires a bunch (> 10-20) of sessions for local attacker to subvert (even using sneaky techniques) https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-817.pdf

  41. Possessing personal knowledge doesn’t help attacker; weaker: user must exercise https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-817.pdf discipline in choices

  42. It takes a lot of guesses https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-817.pdf

  43. It’s infeasible to guess (e.g. requires 2 64 tries) https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-817.pdf

  44. Resists attacker who has client-side malware https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-817.pdf or has broken TLS

  45. A problem at one site doesn’t endanger other sites https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-817.pdf

  46. Resists off-line phishing https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-817.pdf

  47. Attacker can’t benefit by stealing physical object; https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-817.pdf weaker: it’s protected (e.g., PIN)

  48. Trust localized to user/service https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-817.pdf

  49. User has to (knowingly) consent to authentication occurring https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-817.pdf

  50. Two verifiers who collude can’t link user across them based on authenticaticator alone https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-817.pdf

  51. https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-817.pdf

  52. Issues w/ Biometrics? • Theft of artifact – High-res cameras + gummi bears • Theft of digitization (replay) – Need challenge/response protocol • Impairment – (Face recognition based on skull geometry) • Irrevocable – More like a username than a password

  53. Issues w/ Biometrics? • Theft of artifact – High-res cameras + gummi bears • Theft of digitization (replay) – Need challenge/response protocol • Impairment – (Face recognition based on skull geometry) • Irrevocable? – What if sites could implant a biometric?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

18.175: Lecture 4 Integration Scott Sheffield MIT 1 18.175 Lecture 4 Outline Integration

18.175: Lecture 4 Integration Scott Sheffield MIT 1 18.175 Lecture 4 Outline Integration

18.175: Lecture 4 Integration Scott Sheffield MIT 1 18.175 Lecture 4 Outline Integration Expectation 2 18.175 Lecture 4 Outline Integration Expectation 3 18.175 Lecture 4 Recall definitions Probability space is triple ( , F , P ) where

451 views • 11 slides
Lecture Outline Regeltechniek Previous lecture: Stability and transient response. Lecture 4

Lecture Outline Regeltechniek Previous lecture: Stability and transient response. Lecture 4

Lecture Outline Regeltechniek Previous lecture: Stability and transient response. Lecture 4 Basics of Feedback Control Robert Babu ska Today: Steady-state response. Delft Center for Systems and Control Faculty of Mechanical

388 views • 7 slides
Lecture Outline Regeltechniek Previous lecture: Nyquist plot and stability criterion. Lecture 11

Lecture Outline Regeltechniek Previous lecture: Nyquist plot and stability criterion. Lecture 11

Lecture Outline Regeltechniek Previous lecture: Nyquist plot and stability criterion. Lecture 11 State-space models and state feedback control (We are finished with frequency domain methods.) Robert Babu ska Today: Delft Center for

452 views • 6 slides
Lecture Outline Regeltechniek Lecture 1 Introduction Information about the course.

Lecture Outline Regeltechniek Lecture 1 Introduction Information about the course.

Lecture Outline Regeltechniek Lecture 1 Introduction Information about the course. Robert Babu ska Why is control essential. Delft Center for Systems and Control Faculty of Mechanical Engineering Basic elements of feedback.

403 views • 11 slides
Lecture Outline Systeem- en Regeltechniek II Previous lecture: Bode plots, stability, stability

Lecture Outline Systeem- en Regeltechniek II Previous lecture: Bode plots, stability, stability

Lecture Outline Systeem- en Regeltechniek II Previous lecture: Bode plots, stability, stability margins. Lecture 9 Lead and Lag Compensators Robert Babu ska Today: PID controller design. Delft Center for Systems and Control Faculty

447 views • 8 slides
Lecture Outline Systeem- en Regeltechniek II Previous lecture: PID controller design, lead and

Lecture Outline Systeem- en Regeltechniek II Previous lecture: PID controller design, lead and

Lecture Outline Systeem- en Regeltechniek II Previous lecture: PID controller design, lead and lag compen- Lecture 10 Nyquist plot and stability criterium sators. Robert Babu ska Today: Delft Center for Systems and Control Nyquist

444 views • 7 slides
18.175: Lecture 17 Poisson random variables Scott Sheffield MIT 18.175 Lecture 16 1 Outline More

18.175: Lecture 17 Poisson random variables Scott Sheffield MIT 18.175 Lecture 16 1 Outline More

18.175: Lecture 17 Poisson random variables Scott Sheffield MIT 18.175 Lecture 16 1 Outline More on random walks and local CLT Poisson random variable convergence Extend CLT idea to stable random variables 18.175 Lecture 16 2 Outline More on

225 views • 21 slides
Semantics &amp; Verification Lecture 13 Gerd Behrmann Outline of remaining lectures Lecture

Semantics &amp; Verification Lecture 13 Gerd Behrmann Outline of remaining lectures Lecture

Semantics &amp; Verification Lecture 13 Gerd Behrmann Outline of remaining lectures Lecture 9: Modelling real time system Lecture 10: More on Uppaal + mini projects Lecture 11: Mini projects Lecture 12: Verification of timed

589 views • 31 slides
Semantics &amp; Verification Lecture 14 Gerd Behrmann Outline of remaining lectures Lecture

Semantics &amp; Verification Lecture 14 Gerd Behrmann Outline of remaining lectures Lecture

Semantics &amp; Verification Lecture 14 Gerd Behrmann Outline of remaining lectures Lecture 9: Modelling real time system Lecture 10: More on Uppaal + mini projects Lecture 11: Mini projects Lecture 12: Verification of timed

779 views • 42 slides
Lecture Outline Regeltechniek Previous lecture: representation of dynamic models, transfer func-

Lecture Outline Regeltechniek Previous lecture: representation of dynamic models, transfer func-

Lecture Outline Regeltechniek Previous lecture: representation of dynamic models, transfer func- Lecture 3 Stability analysis and transient response tions and state-space models. Robert Babu ska Today: Delft Center for Systems and

266 views • 8 slides
Lecture 2 (I ): Lecture 2 (I ): Pipelining &amp; Retiming Pipelining &amp; Retiming

Lecture 2 (I ): Lecture 2 (I ): Pipelining &amp; Retiming Pipelining &amp; Retiming

Lecture 2 (I ): Lecture 2 (I ): Pipelining &amp; Retiming Pipelining &amp; Retiming Hsie-Chia Chang E-mail : hcchang@mail.nctu.edu.tw Fall 2006 Outline Outline Pipelining of FI R Digital filters Data-Broadcast Structures

453 views • 28 slides
15-780 Graduate AI: Lecture 1: Introduction and Logistics J. Zico Kolter (this lecture),

15-780 Graduate AI: Lecture 1: Introduction and Logistics J. Zico Kolter (this lecture),

15-780 Graduate AI: Lecture 1: Introduction and Logistics J. Zico Kolter (this lecture), Nihar Shah Carnegie Mellon University Spring 2020 1 Outline What is Artificial Intelligence? A brief history of AI Course logistics 2 Outline

580 views • 36 slides
Lecture Outline Regeltechniek Previous lecture: Root locus, frequency response derivation.

Lecture Outline Regeltechniek Previous lecture: Root locus, frequency response derivation.

Lecture Outline Regeltechniek Previous lecture: Root locus, frequency response derivation. Lecture 7 Frequency Response, Bode Plots Robert Babu ska Today: Handout for the remaining computer sessions. Delft Center for Systems and

332 views • 6 slides
Lecture Outline Systeem- en Regeltechniek II Previous lecture: The root locus method, analysis,

Lecture Outline Systeem- en Regeltechniek II Previous lecture: The root locus method, analysis,

Lecture Outline Systeem- en Regeltechniek II Previous lecture: The root locus method, analysis, design. Lecture 6 Root Locus, Frequency Response Robert Babu ska Today: Remarks on the computer session. Delft Center for Systems and

226 views • 6 slides
Lecture Outline Systeem- en Regeltechniek II Previous lecture: Bode plots, non-minimum-phase

Lecture Outline Systeem- en Regeltechniek II Previous lecture: Bode plots, non-minimum-phase

Lecture Outline Systeem- en Regeltechniek II Previous lecture: Bode plots, non-minimum-phase systems. Lecture 8 Frequency Domain Design Robert Babu ska Today: Bodes gain-phase relation. Delft Center for Systems and Control

109 views • 7 slides
Outline of the lecture Outline of the lecture Inequality and income The inverted-U

Outline of the lecture Outline of the lecture Inequality and income The inverted-U

Questions that we will discuss today Take historically given an initial distribution of assets, but then Inequality and Development Week 10 T k hi i ll i i i i l di ib i f b h ask the question: March 12 Do inequalities

180 views • 16 slides
Outline Password-based Authenticated Key Exchange Password-based Authenticated Key Exchange 1

Outline Password-based Authenticated Key Exchange Password-based Authenticated Key Exchange 1

PAKE Game-based Security Universal Composability LAKE Outline Password-based Authenticated Key Exchange Password-based Authenticated Key Exchange 1 David Pointcheval Ecole Normale Sup erieure Game-based Security 2 Universal

927 views • 10 slides
KCI-based MitM Attacks against TLS Prying Open Pandoras Box Clemens Hlauschek, Markus Gruber,

KCI-based MitM Attacks against TLS Prying Open Pandoras Box Clemens Hlauschek, Markus Gruber,

KCI-based MitM Attacks against TLS Prying Open Pandoras Box Clemens Hlauschek, Markus Gruber, Florian Fankhauser, Christian Schanes BS(l)idesVienna 0x7df whoami [ haku@bsidesbox ] % getent passwd whoami | awk F :

684 views • 33 slides
Diffie-Hellman Key Exchange Source: Wikipedia ElGamal Key Generator Generate primes p and

Diffie-Hellman Key Exchange Source: Wikipedia ElGamal Key Generator Generate primes p and

Diffie-Hellman Key Exchange Source: Wikipedia ElGamal Key Generator Generate primes p and q as well as an element g Z p that generates the subgroup G q . Choose a random x from { 0 , . . . , q 1 } . Compute h = g x .

754 views • 7 slides
Elliptic Curve Cryptography Meghana Doddapaneni University of Maryland 5 December 2018

Elliptic Curve Cryptography Meghana Doddapaneni University of Maryland 5 December 2018

Elliptic Curve Cryptography Meghana Doddapaneni University of Maryland 5 December 2018 Introduction y 2 = x 3 + ax + b en.wikipedia.org/wiki/Elliptic curve Elliptic Curve Addition P = ( x p .y p ), Q = ( x q , y q ), R = ( x r .y r ) =

187 views • 16 slides
Outline CPSC 418/MATH 318 Introduction to Cryptography More Number Theory 1 Primitive Roots

Outline CPSC 418/MATH 318 Introduction to Cryptography More Number Theory 1 Primitive Roots

Outline CPSC 418/MATH 318 Introduction to Cryptography More Number Theory 1 Primitive Roots (Recall) Number Theory, Security and Efficiency of Diffie-Hellman, Hash Eulers Function Functions Security of Diffie-Hellman 2 Discrete Log

671 views • 7 slides
MA111: Contemporary mathematics Entrance Slip (due 5 min past the hour): For each problem give the

MA111: Contemporary mathematics Entrance Slip (due 5 min past the hour): For each problem give the

MA111: Contemporary mathematics Entrance Slip (due 5 min past the hour): For each problem give the standard representation of the answer. Try not to use a calculator. 2 1 (mod 11) 2 2 = 2 2 (mod 11) 2 4 = (2 2) (2 2) (mod 11) 2 8 = (2

467 views • 7 slides
Applications Mark Zhandry Stanford University Diffie-Hellman Key Exchange Exchange keys over

Applications Mark Zhandry Stanford University Diffie-Hellman Key Exchange Exchange keys over

Multilinear Maps and Their Applications Mark Zhandry Stanford University Diffie-Hellman Key Exchange Exchange keys over a public channel: Public group , generator , order (Potential) Hard Problems in Groups Discrete Log (DL):

621 views • 60 slides
The Early Days of RSA -- History and Lessons Ronald L. Rivest MIT Lab for Computer Science ACM

The Early Days of RSA -- History and Lessons Ronald L. Rivest MIT Lab for Computer Science ACM

The Early Days of RSA -- History and Lessons Ronald L. Rivest MIT Lab for Computer Science ACM Turing Award Lecture Lessons Learned Try to solve real-world problems using computer science theory and number theory.

806 views • 22 slides

More recommend