Kryptografické systémy
|
|
- Eric Phillips
- 5 years ago
- Views:
Transcription
1 Kryptografické systémy autentifikácia doc. RNDr. Jozef Jirásek, PhD. Bc. Ján Kotrady 2017/2018 Zimný semester 2017 Autentifikácia 1
2 Identita Identita faktory, ktoré (podľa možnosti) jednoznačne identifikujú človeka (resp. iný subjekt zariadenie, systém) znalosť niečo vie (heslo, PIN, odpoveď na otázku) vlastníctvo niečo má (ID kartu, preukaz, telefón, hw kľúč) vlastnosť niečím je (inherency) biometria (odtlačok prsta, vzor hlasu, dúhovka oka, rytmus písania, DNA, podpis) dokazuje sa stupňom zhody v určených znakoch Dvojfaktorová (multifaktorová) autentifikácia potvrdenie viacerých faktorov identity Zimný semester 2017 Autentifikácia 2
3 Autentifikácia (subjektu) autentifikácia resp. autentizácia (authentication) preukázanie požadovaných faktorov identity v danom čase daným spôsobom realizuje sa autentifikačným protokolom po jeho dokončení overovateľ (verifier) rozhodne o preukázaní identity žiadateľa (claimant, prover) získané identifikačné údaje nesmie overovateľ použiť pri inej autentifikácii odpočutý autentifikačný protokol ani jeho časť nemôže tretej strane pomôcť získať identifikačné údaje žiadateľa resp. ich modifikovať alebo použiť v inom protokole autorizácia oprávnenie využiť službu, pristúpiť k objektu riadenie prístupu (access control) dodržovanie politík Zimný semester 2017 Autentifikácia 3
4 Autentifikácia registrácia pred autentifikáciou je potrebné požadované údaje uložiť na strane overovateľa autentifikácia identifikáciou senzory na snímanie biometrie (statické, dynamické), zariadenia na kontrolu tokenov a hesiel priame prepojenie s databázou, kde sa hľadá postačujúca podobnosť FAR False Acceptance Ratio FRR False Rejection Ratio autentifikácia pomocou verifikácie entita podáva potvrdenie (dôkaz) o svojej identite overí sa zhoda s uloženou hodnotou úspech/neúspech autentifikácia členstvom v skupine Zimný semester 2017 Autentifikácia 4
5 Autentifikácia heslom reťazec znakov resp. fráza, z ktorej sa heslo odvodí nízka entropia (náhodné reťazce je ťažké zapamätať) útoky hrubou silou, slovníkové útoky, história, prostredie, cielené útoky so znalosťami o subjekte Keeper s list of worst passwords in qwerty 8. password Zimný semester 2017 Autentifikácia 5
6 Entropia hesiel dĺžka hesla bez kontroly 94 znakov 10 znakov (PIN) proti slovníkovým útokom náhodne bez kontroly náhodne ,3 9 13, , , , , , , , , , , Zimný semester 2017 Autentifikácia 6
7 Ukladanie hesiel otvorený text - (zraniteľnosti - admin, záloha...) H(pwd) (slovníkové útoky, hrubá sila...) H(pwd salt) spolu s náhodným reťazcom, proti útokom na databázu hesiel H c (pwd salt) spomalená hašovacia funkcia (niekoľko opakovaní...) Zimný semester 2017 Autentifikácia 7
8 Útoky John the Ripper 7-znakové heslá, 360 mil. slovník (23% pwd) útok na všetky heslá (bez soli) nevhodné šifrovanie (ECB režim) útoky predpočítaním hašov TMTO (time-memory trade-off) útoky - dúhové tabuľky pwd 1 -> H -> R 1 -> H ->... R k -> H -> h 1 pwd 2 -> H -> R 1 -> H ->... R k -> H -> h 2... v tabuľke zapamätáme pre h 1 h 2... hodnoty pwd 1 pwd 2... pre hľadaný hash h - ak je v tabuľke ako h i spočítame z pwd i príslušné heslo, ak nie, skúsime nájsť h = H(R t-1 (h)) (v reťazcoch na predposlednom mieste)... atď... úplnosť, problémy s kolíziami... Zimný semester 2017 Autentifikácia 8
9 Ochrana limitovanie počtu pokusov, riadenie prístupu (on-line) časové okno na jedno overenie CAPTCHA Completely Automated Public Turing test to tell Computer and Humans Apart ochrana mien účtov pomalé hašovanie, resp. s veľkou pamäťovou náročnosťou (scrypt) (aj pre off-line útoky) Password Hashing Competition Argon2, Balloon Zimný semester 2017 Autentifikácia 9
10 Jednoduchý autentifikačný protokol registrácia A, salt A, pa = h(pwd A, salt A ) autentifikácia cez zabezpečený kanál A S : A S A : input password A S : pwd A S overí h(pwd A, salt A ) =? pa A S : A S A : input password, salt A A S : h(pwd A, salt A ) resp. E S (h(pwd A, salt A )) problém s opakovaným použitím odpovede replay attack Zimný semester 2017 Autentifikácia 10
11 Jednorazové heslá jednorazové heslá zoznam, po použití vymazať výzva od overovateľa index hesla zo zoznamu PRF pseudonáhodné funkcie pomocou symetrickej kryptografie RSA SecurID - AES h(pwd) (count) zmena každú minútu, resp po každom použití TOTP timed one-time password Google authenticator do QR kódu, nasledujúce prihlásenie len s posledným autentifikátorom PBKDF2 (Password-Based Cryptography Specification) U 1 = MAC pwd (salt i), U 2 = MAC pwd (U 1 ),... U c = MAC pwd (U c-1 ) T i = U 1 U 2... U c c counter K = T 1 T 2 T 3... (pre WPA2 : HMAC-SHA1, salt = ssid, c = 4096) Zimný semester 2017 Autentifikácia 11
12 Lamportova identifikačná schéma H 0 = k A ; H (i) (k A ) = H(H (i-1) (k A )) registrácia A, pa = H (n) (k A ), ca = n identifikátor H (i) (k A ) pre i = n-1, n-2,...,1 A S : A S A : input password, ca A S : Q = H (ca-1) (k A ) overenie H(Q) =? pa = H (ca) (k A ) pa = Q, ca = ca 1 limitovaný počet použití ( až 2 32 ) A si pamätá len log n generovaných hesiel (pebbling) použitá v S/Key protokole Zimný semester 2017 Autentifikácia 12
13 Silná autentifikácia proti útokom zopakovaním (replay attack) - zabezpečuje čerstvosť (freshness) atribút bezpečnosti časová pečiatka pripojenie k heslu, potrebná časová synchronizácia sekvenčné číslo počítadlo použitia (posledné použité si musí pamätať aj overovateľ) jednorazová výzva nonce číslo, použiteľné len raz v časovom limite je možné pripojiť k heslu Zimný semester 2017 Autentifikácia 13
14 Autentifikácia pomocou symetrického kľúča Jednostranná autentifikácia s kľúčom K AB = AB A B : E AB (T A, B) časovou pečiatkou A B : E AB (cnt A, B) aktuálnou hodnotou počítadla B A : N B A B : E AB (N B, B) Obostranná autentifikácia A B : E AB (T A, B) B A : E AB (T B, A) výzva (challenge) - nonce odpoveď (response) časovou pečiatkou (počítadlom podobne) B A : N B výzva/odpoveď s nonce A B : E AB (N A, N B, B) B A : E AB (N B, N A ) Zimný semester 2017 Autentifikácia 14
15 Autentifikácia pomocou symetrického kľúča Obojstranná autentifikácia výzva/odpoveď 1. B A : E AB (N B ) 2. A B : N B, E AB (N A ) 3. B A : N A možný útok odrazenie (reflection) 1. B I A : E AB (N B ) 1.* I B A : E AB (N B ) 2.* A I B : N B, E AB (N A ) 2. I A B : N B, E AB (N A ) 3. B I A : N A 3.* I B A : N A Zimný semester 2017 Autentifikácia 15
16 Autentifikácia pomocou autentifikačného kódu Obojstranná autentifikácia výzva/odpoveď bez použitia šifrovania 1. B A : N B 2. A B : N A, MAC AB (N A ) 3. B A : MAC AB (N B ) možný útok prelínanie (interleaving) 1. I B A : N I 2. A I B : N A, MAC AB (N I ) 1*. I A B : N A 2*. B I A : N B, MAC AB (N A ) 3. I B A : MAC AB (N A ) do MAC treba pridať aj identitu odosielateľa resp. príjemcu Zimný semester 2017 Autentifikácia 16
17 Autentifikácia pomocou autentifikačného kódu Obojstranný autentifikačný protokol MAP1 (Bellare-Rogaway) 1. B A : N B 2. A B : N A, MAC AB (A, B, N B, N A ) 3. B A : MAC AB (B, N B ) publikovaný dôkaz bezpečnosti je možné ohroziť súčasným použitím podobného protokolu (EVE1) 1. B A : N B 2. A B : N A, MAC AB (B, A, N B, N A ) 3. B A : MAC AB (B, N B ) Zimný semester 2017 Autentifikácia 17
18 Autentifikácia asymetrickou kryptografiou podobne pre jednostrannú autentifikáciu podpisom 1. B A : N B 2. A B : Sig A (N B ) možný útok preposlaním (man-in-the-middle) 1. B I A : N B 1*. I A : N B 2*. A I : Sig A (N B ) 2. I A B : Sig A (N B ) oprava 1. B A : N B 2. A B : Sig A (N B, B) výzva/odpoveď Zimný semester 2017 Autentifikácia 18
19 Autentifikácia asymetrickou kryptografiou Jednostranná autentifikácia podpisom so súkromným kľúčom A B : T A, B, Sig A (T A, B) časovou pečiatkou A B : cnt A, B, Sig A (cnt A, B) aktuálnou hodnotou počítadla B A : N B výzva/odpoveď A B : N A, N B, B, Sig A (N A, N B, B) (pripojiť niečo k podpisu!) Obostranná autentifikácia A B : T A, B, Sig A (T A, B) B A : T B, A, Sig B (T B, A) časovou pečiatkou (s počítadlom podobne) B A : N B výzva/odpoveď s nonce A B : N A, N B, B, Sig A (N A, N B, B) B A : N B, N A, A, Sig B (N B, N A, A) (je možné paralelizovať) Zimný semester 2017 Autentifikácia 19
20 Autentifikácia asymetrickou kryptografiou Jednostranná autentifikácia šifrovaním verejným kľúčom B A : E A (N B, B) A B : N B Needham-Schroeder (1978) obojstranná autentifikácia 1. A B : E B (N A, A) 2. B A : E A (N A, N B ) (chýba identifikácia odosielateľa) 3. A B : E B (N B ) 1. A I : E I (N A, A) (Lowe 1996) 1*. I A B : E B (N A, A) 2*. B I A : E A (N A, N B ) 2. I A : E A (N A, N B ) 3. A I : E I (N B ) 3*. I A B : E B (N B ) Zimný semester 2017 Autentifikácia 20
21 Ďakujem za pozornosť. Zimný semester 2017 Autentifikácia 21
22 AUTHENTICATION PROTOCOL process of proving one s identity at point in time when communication is actually occurring Alice Bob I am Alice 10 December 2017 J. Jirásek: Automatic tools... 22
23 AUTHENTICATION PROTOCOL process of proving one s identity at point in time when communication is actually occurring Alice Bob Eve I am Alice failure scenario 10 December 2017 J. Jirásek: Automatic tools... 23
24 MORE SECRECY use encryption by Bob s public key Alice Bob { I am Alice, passw } KB 10 December 2017 J. Jirásek: Automatic tools... 24
25 MORE SECRECY use encryption by Bob s public key Alice Bob { I am Alice, passw } KB eavesdropped message Eve { I am Alice, passw } KB replay attack 10 December 2017 J. Jirásek: Automatic tools... 25
26 MORE FRESHNESS use different password each time use timestamps - time synchronization Alice Bob { I am Alice, passw, T } KB 10 December 2017 J. Jirásek: Automatic tools... 26
27 MORE FRESHNESS use Nonces numbers used only once Alice N B Bob { I am Alice, passw, N B } KB Eve??? 10 December 2017 J. Jirásek: Automatic tools... 27
28 AUTHENTICATION PROTOCOL WITHOUT PASSWORDS (NSPK 1978) This is Alice and I have chosen a nonce N A { N A, A } KB Alice Alice believes she is talking with Bob { N A, N B } KA Here is your nonce N A. Since I could read it, I must be Bob. I also have a challenge N B for you. { N B } KB Bob You send me N B. Since only Alice can read this and I sent it back, I must be Alice. Bob believes he is talking with Alice 10 December 2017 J. Jirásek: Automatic tools... 28
29 LOWE ATTACK ON NSPK (1995) { N A, A } KE Eve Eve knows N A, translates it to Bob Alice This is Alice and I have chosen a nonce N A { N A, A } KB Bob { N A, N B } KA Alice believes she is talking with Eve { N B } KE Here is your nonce N A. I have a nonce N B for you. Eve knows also N B Here is your nonce N B. So, I must be Alice. Eve { N B } KB Bob believes he is speaking with Alice 10 December 2017 J. Jirásek: Automatic tools... 29
30 NEEDHAM-SCHROEDER-LOVE (1995) { N A, A } KB This is Alice and I have chosen a nonce N A { N A, N B, B } KA Alice Alice believes she is talking with Bob Here is your nonce N A. Since I could read it, I must be Bob. I also have a challenge N B for you. { N B } KB Bob You send me N B. Since only Alice can read this and I sent it back, I must be Alice. Bob believes he is talking with Alice 10 December 2017 J. Jirásek: Automatic tools... 30
31 ATTACK? { N A, A } KE Eve Eve knows N A, translates it to Bob Alice This is Alice and I have chosen a nonce N A { N A, A } KB Bob { N A, N B, B } KA Alice wants to speak with Eve and waits her name in the answer not believes she is talking with Eve and stops the protocol Here is your nonce N A. I have a nonce N B for you. I am Bob.??? 10 December 2017 J. Jirásek: Automatic tools... 31
2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms
CRYPTOGRAPHY 19 Cryptography 5 ElGamal cryptosystems and Discrete logarithms Definition Let G be a cyclic group of order n and let α be a generator of G For each A G there exists an uniue 0 a n 1 such
More informationA Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols
ASIAN 07 A Formal Analysis for Capturing Replay Attacks in Cryptographic s Han Gao 1, Chiara Bodei 2, Pierpaolo Degano 2, Hanne Riis Nielson 1 Informatics and Mathematics Modelling, Technical University
More informationEncoding security protocols in the cryptographic λ-calculus. Eijiro Sumii Joint work with Benjamin Pierce University of Pennsylvania
Encoding security protocols in the cryptographic λ-calculus Eijiro Sumii Joint work with Benjamin Pierce University of Pennsylvania An obvious fact Security is important Cryptography is a major way to
More informationBAN Logic A Logic of Authentication
BAN Logic A Logic of Authentication Sape J. Mullender Huygens Systems Research Laboratory Universiteit Twente Enschede 1 BAN Logic The BAN logic was named after its inventors, Mike Burrows, Martín Abadí,
More informationTime-Bounding Needham-Schroeder Public Key Exchange Protocol
Time-Bounding Needham-Schroeder Public Key Exchange Protocol Max Kanovich, Queen Mary, University of London, UK University College London, UCL-CS, UK Tajana Ban Kirigin, University of Rijeka, HR Vivek
More informationCIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography
CIS 6930/4930 Computer and Network Security Topic 5.2 Public Key Cryptography 1 Diffie-Hellman Key Exchange 2 Diffie-Hellman Protocol For negotiating a shared secret key using only public communication
More informationPractice Assignment 2 Discussion 24/02/ /02/2018
German University in Cairo Faculty of MET (CSEN 1001 Computer and Network Security Course) Dr. Amr El Mougy 1 RSA 1.1 RSA Encryption Practice Assignment 2 Discussion 24/02/2018-29/02/2018 Perform encryption
More informationCPSA and Formal Security Goals
CPSA and Formal Security Goals John D. Ramsdell The MITRE Corporation CPSA Version 2.5.1 July 8, 2015 Contents 1 Introduction 3 2 Syntax 6 3 Semantics 8 4 Examples 10 4.1 Needham-Schroeder Responder.................
More informationModels and analysis of security protocols 1st Semester Security Protocols Lecture 6
Models and analysis of security protocols 1st Semester 2010-2011 Security Protocols Lecture 6 Pascal Lafourcade Université Joseph Fourier, Verimag Master: October 18th 2010 1 / 46 Last Time (I) Symmetric
More informationQuestion: Total Points: Score:
University of California, Irvine COMPSCI 134: Elements of Cryptography and Computer and Network Security Midterm Exam (Fall 2016) Duration: 90 minutes November 2, 2016, 7pm-8:30pm Name (First, Last): Please
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationExam Security January 19, :30 11:30
Exam Security January 19, 2016. 8:30 11:30 You can score a maximum of 100. Each question indicates how many it is worth. You are NOT allowed to use books or notes, or a (smart) phone. You may answer in
More informationElliptic Curves. Giulia Mauri. Politecnico di Milano website:
Elliptic Curves Giulia Mauri Politecnico di Milano email: giulia.mauri@polimi.it website: http://home.deib.polimi.it/gmauri May 13, 2015 Giulia Mauri (DEIB) Exercises May 13, 2015 1 / 34 Overview 1 Elliptic
More informationProving Security Protocols Correct. Lawrence C. Paulson Computer Laboratory
Proving Security Protocols Correct Lawrence C. Paulson Computer Laboratory How Detailed Should a Model Be? too detailed too simple concrete abstract not usable not credible ``proves'' everything ``attacks''
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationProving Properties of Security Protocols by Induction
Proving Security Protocols 1 L. C. Paulson Proving Properties of Security Protocols by Induction Lawrence C. Paulson Computer Laboratory University of Cambridge Proving Security Protocols 2 L. C. Paulson
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 7, 2015 CPSC 467, Lecture 11 1/37 Digital Signature Algorithms Signatures from commutative cryptosystems Signatures from
More informationMessage Authentication Codes (MACs)
Message Authentication Codes (MACs) Tung Chou Technische Universiteit Eindhoven, The Netherlands October 8, 2015 1 / 22 About Me 2 / 22 About Me Tung Chou (Tony) 2 / 22 About Me Tung Chou (Tony) Ph.D.
More informationVerification of the TLS Handshake protocol
Verification of the TLS Handshake protocol Carst Tankink (0569954), Pim Vullers (0575766) 20th May 2008 1 Introduction In this text, we will analyse the Transport Layer Security (TLS) handshake protocol.
More informationMESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1
MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION Mihir Bellare UCSD 1 Integrity and authenticity The goal is to ensure that M really originates with Alice and not someone else M has not been modified
More informationA Logic of Authentication
A Logic of Authentication by Burrows, Abadi, and Needham Presented by Adam Schuchart, Kathryn Watkins, Michael Brotzman, Steve Bono, and Sam Small Agenda The problem Some formalism The goals of authentication,
More informationInformation Security: Principles and Practice, 2nd edition. Errata
Information Security: Principles and Practice, 2nd edition Errata December 9, 207 . Page 22, ciphertext displayed near the bottom of the page: Change from IRXUVFRUHDAGVHYHABHDUVDIR to IRXUVFRUHDQGVHYHQBHDUVDJR.
More informationKEY DISTRIBUTION 1 /74
KEY DISTRIBUTION 1 /74 The public key setting Alice M D sk[a] (C) C Bob pk[a] C $ E pk[a] (M) σ $ S sk[a] (M) M,σ Vpk[A] (M,σ) Bob can: send encrypted data to Alice verify her signatures as long as he
More informationProtokoly, identifikácia a autentizácia Úvod do informačnej bezpečnosti (LS 2017/2018) Michal Rjaško
Protokoly, identifikácia a autentizácia Úvod do informačnej bezpečnosti (LS 2017/2018) Michal Rjaško rjasko@dcs.fmph.uniba.sk Obsah Protokoly Autentizácia na základe hesla slabiny, prístupy, PIN, Passkey,
More informationLecture 10: Zero-Knowledge Proofs
Lecture 10: Zero-Knowledge Proofs Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Some of these slides are based on note by Boaz Barak. Quo vadis? Eo Romam
More informationPost-quantum security models for authenticated encryption
Post-quantum security models for authenticated encryption Vladimir Soukharev David R. Cheriton School of Computer Science February 24, 2016 Introduction Bellare and Namprempre in 2008, have shown that
More informationDiscrete Logarithm Problem
Discrete Logarithm Problem Finite Fields The finite field GF(q) exists iff q = p e for some prime p. Example: GF(9) GF(9) = {a + bi a, b Z 3, i 2 = i + 1} = {0, 1, 2, i, 1+i, 2+i, 2i, 1+2i, 2+2i} Addition:
More informationIntroduction to Cryptography Lecture 4
Data Integrity, Message Authentication Introduction to Cryptography Lecture 4 Message authentication Hash functions Benny Pinas Ris: an active adversary might change messages exchanged between and M M
More informationSIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography
SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS CIS 400/628 Spring 2005 Introduction to Cryptography This is based on Chapter 8 of Trappe and Washington DIGITAL SIGNATURES message sig 1. How do we bind
More informationPing Pong Protocol & Auto-compensation
Ping Pong Protocol & Auto-compensation Adam de la Zerda For QIP seminar Spring 2004 02.06.04 Outline Introduction to QKD protocols + motivation Ping-Pong protocol Security Analysis for Ping-Pong Protocol
More informationVerification of Security Protocols in presence of Equational Theories with Homomorphism
Verification of Security Protocols in presence of Equational Theories with Homomorphism Stéphanie Delaune France Télécom, division R&D, LSV CNRS & ENS Cachan February, 13, 2006 Stéphanie Delaune (FT R&D,
More informationIng. Tomasz Kanik. doc. RNDr. Štefan Peško, CSc.
Ing. Tomasz Kanik Školiteľ: doc. RNDr. Štefan Peško, CSc. Pracovisko: Študijný program: KMMOA, FRI, ŽU 9.2.9 Aplikovaná informatika 1 identifikácia problémovej skupiny pacientov, zlepšenie kvality rozhodovacích
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationPublic-Key Cryptosystems CHAPTER 4
Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:
More information+ = OTP + QKD = QC. ψ = a. OTP One-Time Pad QKD Quantum Key Distribution QC Quantum Cryptography. θ = 135 o state 1
Quantum Cryptography Quantum Cryptography Presented by: Shubhra Mittal Instructor: Dr. Stefan Robila Intranet & Internet Security (CMPT-585-) Fall 28 Montclair State University, New Jersey Introduction
More informationTerm Rewriting applied to Cryptographic Protocol Analysis: the Maude-NPA tool
Term Rewriting applied to Cryptographic Protocol Analysis: the Maude-NPA tool Santiago Escobar Departamento de Sistemas Informáticos y Computación Universitat Politècnica de València sescobar@dsic.upv.es
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #6 Sep 8 th 2005 CSCI 6268/TLEN 5831, Fall 2005 Announcements Quiz #1 later today Still some have not signed up for class mailing list Perhaps
More informationQuantum Cryptography
Quantum Cryptography Christian Schaffner Research Center for Quantum Software Institute for Logic, Language and Computation (ILLC) University of Amsterdam Centrum Wiskunde & Informatica Winter 17 QuantumDay@Portland
More informationCHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA35 (Chalmers) - DIT50 (GU) 11 April 017, 8:30-1:30 No extra material is allowed during the exam except for pens and a simple calculator (not smartphones).
More informationPublic Key Cryptography
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Public Key Cryptography EECE 412 1 What is it? Two keys Sender uses recipient s public key to encrypt Receiver uses his private key to decrypt
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 11 February 21, 2013 CPSC 467b, Lecture 11 1/27 Discrete Logarithm Diffie-Hellman Key Exchange ElGamal Key Agreement Primitive Roots
More informationIntro to Public Key Cryptography Diffie & Hellman Key Exchange
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary - Math Part
More informationCryptography and Security Final Exam
Cryptography and Security Final Exam Solution Serge Vaudenay 29.1.2018 duration: 3h no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices
More informationCPSC 467b: Cryptography and Computer Security
Outline Authentication CPSC 467b: Cryptography and Computer Security Lecture 18 Michael J. Fischer Department of Computer Science Yale University March 29, 2010 Michael J. Fischer CPSC 467b, Lecture 18
More informationMa/CS 6a Class 3: The RSA Algorithm
Ma/CS 6a Class 3: The RSA Algorithm By Adam Sheffer Reminder: Putnam Competition Signup ends Wednesday 10/08. Signup sheets available in all Sloan classrooms, Math office, or contact Kathy Carreon, kcarreon@caltech.edu.
More informationSolutions to the Midterm Test (March 5, 2011)
MATC16 Cryptography and Coding Theory Gábor Pete University of Toronto Scarborough Solutions to the Midterm Test (March 5, 2011) YOUR NAME: DO NOT OPEN THIS BOOKLET UNTIL INSTRUCTED TO DO SO. INSTRUCTIONS:
More informationENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions
ENEE 457: Computer Systems Security 09/19/16 Lecture 6 Message Authentication Codes and Hash Functions Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously Digital Signatures Algorithms: Gen() à (sk,pk) Sign(sk,m) à σ Ver(pk,m,σ) à 0/1 Correctness: Pr[Ver(pk,m,Sign(sk,m))=1:
More informationAn Introduction. Dr Nick Papanikolaou. Seminar on The Future of Cryptography The British Computer Society 17 September 2009
An Dr Nick Papanikolaou Research Fellow, e-security Group International Digital Laboratory University of Warwick http://go.warwick.ac.uk/nikos Seminar on The Future of Cryptography The British Computer
More informationLeftovers from Lecture 3
Leftovers from Lecture 3 Implementing GF(2^k) Multiplication: Polynomial multiplication, and then remainder modulo the defining polynomial f(x): (1,1,0,1,1) *(0,1,0,1,1) = (1,1,0,0,1) For small size finite
More informationPractice Exam Winter 2018, CS 485/585 Crypto March 14, 2018
Practice Exam Name: Winter 2018, CS 485/585 Crypto March 14, 2018 Portland State University Prof. Fang Song Instructions This exam contains 8 pages (including this cover page) and 5 questions. Total of
More informationLecture 9 - Symmetric Encryption
0368.4162: Introduction to Cryptography Ran Canetti Lecture 9 - Symmetric Encryption 29 December 2008 Fall 2008 Scribes: R. Levi, M. Rosen 1 Introduction Encryption, or guaranteeing secrecy of information,
More informationCryptography. P. Danziger. Transmit...Bob...
10.4 Cryptography P. Danziger 1 Cipher Schemes A cryptographic scheme is an example of a code. The special requirement is that the encoded message be difficult to retrieve without some special piece of
More informationLecture 11: Key Agreement
Introduction to Cryptography 02/22/2018 Lecture 11: Key Agreement Instructor: Vipul Goyal Scribe: Francisco Maturana 1 Hardness Assumptions In order to prove the security of cryptographic primitives, we
More informationOn the Security of One Password Authenticated Key Exchange Protocol
On the Security of One Password Authenticated Key Exchange Protocol Stanislav V. Smyshlyaev Igor B. Oshkin Evgeniy K. Alekseev Liliya R. Ahmetzyanova Abstract In this paper the Security Evaluated Standardized
More informationError Reconciliation in QKD. Distribution
Error Reconciliation in Quantum Key Distribution Richard P. Brent MSI, ANU 1 October 2009 Abstract The problem of "error reconciliation" arises in Quantum Cryptography, which is more accurately described
More informationA Logic of Authentication. Borrows, Abadi and Needham TOCS 1990, DEC-SRC 1989
A Logic of Authentication Borrows, Abadi and Needham TOCS 1990, DEC-SRC 1989 Logic Constructs P believes X : P may act as though X is true. P sees X : a message containing X was sent to P; P can read and
More informationExtracting a Secret Key from a Wireless Channel
Extracting a Secret Key from a Wireless Channel Suhas Mathur suhas@winlab.rutgers.edu W. Trappe, N. Mandayam (WINLAB) Chunxuan Ye, Alex Reznik (InterDigital) Suhas Mathur (WINLAB) Secret bits from the
More informationA process algebraic analysis of privacy-type properties in cryptographic protocols
A process algebraic analysis of privacy-type properties in cryptographic protocols Stéphanie Delaune LSV, CNRS & ENS Cachan, France Saturday, September 6th, 2014 S. Delaune (LSV) Verification of cryptographic
More informationStrand Spaces Proving Protocols Corr. Jonathan Herzog 6 April 2001
Strand Spaces Proving Protocols Corr Jonathan Herzog 6 April 2001 Introduction 3Second part of talk given early last month Introduced class of cryptographic protocols Modeled at high level of abstraction
More informationLECTURE NOTES ON Quantum Cryptography
Department of Software The University of Babylon LECTURE NOTES ON Quantum Cryptography By Dr. Samaher Hussein Ali College of Information Technology, University of Babylon, Iraq Samaher@itnet.uobabylon.edu.iq
More informationII. Digital signatures
II. Digital signatures Alice m Bob Eve 1. Did Bob send message m, or was it Eve? 2. Did Eve modify the message m, that was sent by Bob? 1 Digital signatures Digital signature - are equivalent of handwritten
More informationModels and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5
Models and analysis of security protocols 1st Semester 2009-2010 Symmetric Encryption Lecture 5 Pascal Lafourcade Université Joseph Fourier, Verimag Master: September 29th 2009 1 / 60 Last Time (I) Security
More informationUnderstanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 11 Hash Functions ver.
Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl www.crypto-textbook.com Chapter 11 Hash Functions ver. October 29, 2009 These slides were prepared by
More informationThe Laws of Cryptography Zero-Knowledge Protocols
26 The Laws of Cryptography Zero-Knowledge Protocols 26.1 The Classes NP and NP-complete. 26.2 Zero-Knowledge Proofs. 26.3 Hamiltonian Cycles. An NP-complete problem known as the Hamiltonian Cycle Problem
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationCryptography and Security Final Exam
Cryptography and Security Final Exam Serge Vaudenay 29.1.2018 duration: 3h no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices are not
More informationarxiv:quant-ph/ v1 6 Dec 2005
Quantum Direct Communication with Authentication Hwayean Lee 1,,4, Jongin Lim 1,, HyungJin Yang,3 arxiv:quant-ph/051051v1 6 Dec 005 Center for Information Security TechnologiesCIST) 1, Graduate School
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #4 Sep 2 nd 2004 CSCI 6268/TLEN 5831, Fall 2004 Announcements Please sign up for class mailing list Quiz #1 will be on Thursday, Sep 9 th
More informationSecurity Implications of Quantum Technologies
Security Implications of Quantum Technologies Jim Alves-Foss Center for Secure and Dependable Software Department of Computer Science University of Idaho Moscow, ID 83844-1010 email: jimaf@cs.uidaho.edu
More informationCryptography CS 555. Topic 25: Quantum Crpytography. CS555 Topic 25 1
Cryptography CS 555 Topic 25: Quantum Crpytography CS555 Topic 25 1 Outline and Readings Outline: What is Identity Based Encryption Quantum cryptography Readings: CS555 Topic 25 2 Identity Based Encryption
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationLecture 5, CPA Secure Encryption from PRFs
CS 4501-6501 Topics in Cryptography 16 Feb 2018 Lecture 5, CPA Secure Encryption from PRFs Lecturer: Mohammad Mahmoody Scribe: J. Fu, D. Anderson, W. Chao, and Y. Yu 1 Review Ralling: CPA Security and
More information1/ 17 2/20 3/19 4/12 5/14 6/13 7/10 Total /105. Please do not write in the spaces above.
1/ 17 2/20 3/19 4/12 5/14 6/13 7/10 Total /105 % Please do not write in the spaces above. Directions: You have 50 minutes in which to complete this exam. Please make sure that you read through this entire
More informationLecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography
CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time
More informationCracking Passwords with Time-memory Trade-offs. Gildas Avoine INSA Rennes (France), UCL (Belgium)
Cracking Passwords with Time-memory Trade-offs Gildas Avoine INSA Rennes (France), UCL (Belgium) SUMMARY Motivations Hellman Tables Oechslin Tables Real Life Examples Rainbow Tables with Fingerprints Conclusion
More informationChapter 7: Signature Schemes. COMP Lih-Yuan Deng
Chapter 7: Signature Schemes COMP 7120-8120 Lih-Yuan Deng lihdeng@memphis.edu Overview Introduction Security requirements for signature schemes ElGamal signature scheme Variants of ElGamal signature scheme
More informationECash and Anonymous Credentials
ECash and Anonymous Credentials CS/ECE 598MAN: Applied Cryptography Nikita Borisov November 9, 2009 1 E-cash Chaum s E-cash Offline E-cash 2 Anonymous Credentials e-cash-based Credentials Brands Credentials
More informationNumber theory (Chapter 4)
EECS 203 Spring 2016 Lecture 12 Page 1 of 8 Number theory (Chapter 4) Review Compute 6 11 mod 13 in an efficient way What is the prime factorization of 100? 138? What is gcd(100, 138)? What is lcm(100,138)?
More informationCourse Business. Homework 3 Due Now. Homework 4 Released. Professor Blocki is travelling, but will be back next week
Course Business Homework 3 Due Now Homework 4 Released Professor Blocki is travelling, but will be back next week 1 Cryptography CS 555 Week 11: Discrete Log/DDH Applications of DDH Factoring Algorithms,
More informationMSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.
MSR by Examples Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ IITD, CSE Dept. Delhi, India April 24 th,2002 Outline Security Protocols
More informationAutomatic Verification of Complex Security Protocols With an Unbounded Number of Sessions
Automatic Verification of Complex Security Protocols With an Unbounded Number of Sessions Kaile Su, Weiya Yue and Qingliang Chen Department of Computer Science, Sun Yat-sen University Guangzhou, P.R. China
More informationAnalysing privacy-type properties in cryptographic protocols
Analysing privacy-type properties in cryptographic protocols Stéphanie Delaune LSV, CNRS & ENS Cachan, France Wednesday, January 14th, 2015 S. Delaune (LSV) Verification of cryptographic protocols 14th
More informationCryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols
CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols Bruno Blanchet CNRS, École Normale Supérieure, INRIA, Paris March 2009 Bruno Blanchet (CNRS, ENS, INRIA) CryptoVerif March
More informationA Resolution Strategy for Verifying Cryptographic Protocols with CBC Encryption and Blind Signatures
A Resolution Strategy for Verifying Cryptographic Protocols with CBC Encryption and Blind Signatures Véronique Cortier LORIA, Nancy, France CNRS & INRIA Project Cassis cortier@loria.fr Michael Rusinowitch
More informationFull Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5
Full Attacks on HMAC/NMAC- and NMAC-MD5 Pierre-Alain Fouque, Gaëtan Leurent, Phong Nguyen Laboratoire d Informatique de l École Normale Supérieure CRYPTO 2007 1/26 WhatisaMACalgorithm? M Alice wants to
More informationA derivation system and compositional logic for security protocols
Journal of Computer Security 13 2005) 423 482 423 IOS Press A derivation system and compositional logic for security protocols Anupam Datta a,, Ante Derek a, John C. Mitchell a and Dusko Pavlovic b a Computer
More informationSimple Math: Cryptography
1 Introduction Simple Math: Cryptography This section develops some mathematics before getting to the application. The mathematics that I use involves simple facts from number theory. Number theory is
More informationLecture 22: RSA Encryption. RSA Encryption
Lecture 22: Recall: RSA Assumption We pick two primes uniformly and independently at random p, q $ P n We define N = p q We shall work over the group (Z N, ), where Z N is the set of all natural numbers
More informationLecture 10 - MAC s continued, hash & MAC
Lecture 10 - MAC s continued, hash & MAC Boaz Barak March 3, 2010 Reading: Boneh-Shoup chapters 7,8 The field GF(2 n ). A field F is a set with a multiplication ( ) and addition operations that satisfy
More informationPublic-key cryptography and the Discrete-Logarithm Problem. Tanja Lange Technische Universiteit Eindhoven. with some slides by Daniel J.
Public-key cryptography and the Discrete-Logarithm Problem Tanja Lange Technische Universiteit Eindhoven with some slides by Daniel J. Bernstein Cryptography Let s understand what our browsers do. Schoolbook
More information2 Message authentication codes (MACs)
CS276: Cryptography October 1, 2015 Message Authentication Codes and CCA2 Instructor: Alessandro Chiesa Scribe: David Field 1 Previous lecture Last time we: Constructed a CPA-secure encryption scheme from
More informationMSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.
MSR by Examples Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ PPL 01 March 21 st, 2001 Outline I. Security Protocols II. MSR by Examples
More informationFinal Exam Math 105: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 30 April :30 11:00 a.m.
Final Exam Math 10: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 0 April 2002 :0 11:00 a.m. Instructions: Please be as neat as possible (use a pencil), and show
More informationTyped MSR: Syntax and Examples
Typed MSR: Syntax and Examples Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ MMM 01 St. Petersburg, Russia May 22 nd, 2001 Outline
More informationMATH 158 FINAL EXAM 20 DECEMBER 2016
MATH 158 FINAL EXAM 20 DECEMBER 2016 Name : The exam is double-sided. Make sure to read both sides of each page. The time limit is three hours. No calculators are permitted. You are permitted one page
More informationPassword Cracking: The Effect of Bias on the Average Guesswork of Hash Functions
Password Cracking: The Effect of Bias on the Average Guesswork of Hash Functions Yair Yona, and Suhas Diggavi, Fellow, IEEE Abstract arxiv:608.0232v4 [cs.cr] Jan 207 In this work we analyze the average
More informationMessage Authentication. Adam O Neill Based on
Message Authentication Adam O Neill Based on http://cseweb.ucsd.edu/~mihir/cse207/ Authenticity and Integrity - Message actually comes from. claimed Sender - Message was not modified in transit ' Electronic
More information