Lecture 14. Protocols. Key Distribution Center (KDC) or Trusted Third Party (TTP) KDC generates R1

Similar documents
Chapter 7. Kleene s Theorem. 7.1 Kleene s Theorem. The following theorem is the most important and fundamental result in the theory of FA s:

Week 8. Topic 2 Properties of Logarithms

Key Establishment Protocols. Cryptography CS 507 Erkay Savas Sabanci University

( ) D x ( s) if r s (3) ( ) (6) ( r) = d dr D x

Lecture 7. Public Key Cryptography (Diffie-Hellman and RSA)

Deterministic simulation of a NFA with k symbol lookahead

10 Statistical Distributions Solutions

Physics 604 Problem Set 1 Due Sept 16, 2010

2-Way Finite Automata Radboud University, Nijmegen. Writer: Serena Rietbergen, s Supervisor: Herman Geuvers

Discrete Model Parametrization

Data Structures. Element Uniqueness Problem. Hash Tables. Example. Hash Tables. Dana Shapira. 19 x 1. ) h(x 4. ) h(x 2. ) h(x 3. h(x 1. x 4. x 2.

FI 2201 Electromagnetism

Language Processors F29LP2, Lecture 5

CHAPTER 18: ELECTRIC CHARGE AND ELECTRIC FIELD

3.1 Magnetic Fields. Oersted and Ampere

ITI Introduction to Computing II

Lecture 3. In this lecture, we will discuss algorithms for solving systems of linear equations.

Class Summary. be functions and f( D) , we define the composition of f with g, denoted g f by

5pm (submit via Grade scope. Friday. and monitor Piazza. will. try. knowledge. nothing than The fact that the statement is true

Improper Integrals. The First Fundamental Theorem of Calculus, as we ve discussed in class, goes as follows:

Electric Potential. and Equipotentials

Lecture 25: Pairing Based Cryptography

Physical Security Countermeasures. This entire sheet. I m going to put a heptadecagon into game.

MTH 505: Number Theory Spring 2017

Resources. Introduction: Binding. Resource Types. Resource Sharing. The type of a resource denotes its ability to perform different operations

378 Relations Solutions for Chapter 16. Section 16.1 Exercises. 3. Let A = {0,1,2,3,4,5}. Write out the relation R that expresses on A.

Probabilistic Retrieval

Bases for Vector Spaces

Homework 4. 0 ε 0. (00) ε 0 ε 0 (00) (11) CS 341: Foundations of Computer Science II Prof. Marvin Nakayama

set is not closed under matrix [ multiplication, ] and does not form a group.

π,π is the angle FROM a! TO b

Review of Mathematical Concepts

Lecture 8. Public Key Cryptography (Diffie-Hellman and RSA)

Course Updates. Reminders: 1) Assignment #8 available. 2) Chapter 28 this week.

U>, and is negative. Electric Potential Energy

A Survey of Methods for Generating a Test Sequence for Conformance Testing of Finite State Machine

CSCI 340: Computational Models. Transition Graphs. Department of Computer Science

Previously. Extensions to backstepping controller designs. Tracking using backstepping Suppose we consider the general system

Lecture 3: Equivalence Relations

Definite Integrals. The area under a curve can be approximated by adding up the areas of rectangles = 1 1 +

SPA7010U/SPA7010P: THE GALAXY. Solutions for Coursework 1. Questions distributed on: 25 January 2018.

Friedmannien equations

Farey Fractions. Rickard Fernström. U.U.D.M. Project Report 2017:24. Department of Mathematics Uppsala University

1. For each of the following theorems, give a two or three sentence sketch of how the proof goes or why it is not true.

Optimization. x = 22 corresponds to local maximum by second derivative test

The Area of a Triangle

Algebra Based Physics. Gravitational Force. PSI Honors universal gravitation presentation Update Fall 2016.notebookNovember 10, 2016

BINOMIAL THEOREM SOLUTION. 1. (D) n. = (C 0 + C 1 x +C 2 x C n x n ) (1+ x+ x 2 +.)

7.1 Integral as Net Change and 7.2 Areas in the Plane Calculus

NS-IBTS indices calculation procedure

Electric Field F E. q Q R Q. ˆ 4 r r - - Electric field intensity depends on the medium! origin

About Some Inequalities for Isotonic Linear Functionals and Applications

p-adic Egyptian Fractions

AT100 - Introductory Algebra. Section 2.7: Inequalities. x a. x a. x < a

School of Electrical and Computer Engineering, Cornell University. ECE 303: Electromagnetic Fields and Waves. Fall 2007

Homework 3 Solutions

Time in Seconds Speed in ft/sec (a) Sketch a possible graph for this function.

Physics 505 Fall 2005 Midterm Solutions. This midterm is a two hour open book, open notes exam. Do all three problems.

A Public-Key Black-Box Traitor Tracing Scheme with Sublinear Ciphertext Size against Self-Defensive Pirates

Computing data with spreadsheets. Enter the following into the corresponding cells: A1: n B1: triangle C1: sqrt

The Regulated and Riemann Integrals

CMPSCI 250: Introduction to Computation. Lecture #31: What DFA s Can and Can t Do David Mix Barrington 9 April 2014

STRAND B: NUMBER THEORY

Scaling ORAM for Secure Computation

Physics 1502: Lecture 4 Today s Agenda

Andersen s Algorithm. CS 701 Final Exam (Reminder) Friday, December 12, 4:00 6:00 P.M., 1289 Computer Science.

Note 12. Introduction to Digital Control Systems

Riemann Sums and Riemann Integrals

CS 373, Spring Solutions to Mock midterm 1 (Based on first midterm in CS 273, Fall 2008.)

EECE 260 Electrical Circuits Prof. Mark Fowler

10/04/18. P [P(x)] 1 negl(n).

Fluids & Bernoulli s Equation. Group Problems 9

PHYS 1444 Lecture #5

Regular Language. Nonregular Languages The Pumping Lemma. The pumping lemma. Regular Language. The pumping lemma. Infinitely long words 3/17/15

The Evaluation Theorem

Lesson 25: Adding and Subtracting Rational Expressions

#A29 INTEGERS 17 (2017) EQUALITY OF DEDEKIND SUMS MODULO 24Z

The Congestion of n-cube Layout on a Rectangular Grid S.L. Bezrukov J.D. Chavez y L.H. Harper z M. Rottger U.-P. Schroeder Abstract We consider the pr

St Andrew s Academy Mathematics Department Higher Mathematics VECTORS

AP Calculus AB Exam Review Sheet B - Session 1

Reasoning and programming. Lecture 5: Invariants and Logic. Boolean expressions. Reasoning. Examples

More Efficient Oblivious Transfer Extensions with Security for Malicious Adversaries

Nondeterminism and Nodeterministic Automata

Energy Dissipation Gravitational Potential Energy Power

Summary: Binomial Expansion...! r. where

Riemann Sums and Riemann Integrals

Geometry of the homogeneous and isotropic spaces

1 Nondeterministic Finite Automata

ELECTRO - MAGNETIC INDUCTION

STD: XI MATHEMATICS Total Marks: 90. I Choose the correct answer: ( 20 x 1 = 20 ) a) x = 1 b) x =2 c) x = 3 d) x = 0

Auchmuty High School Mathematics Department Advanced Higher Notes Teacher Version

= ΔW a b. U 1 r m 1 + K 2

CS 311 Homework 3 due 16:30, Thursday, 14 th October 2010

22.615, MHD Theory of Fusion Systems Prof. Freidberg Lecture 20

Continuous Joint Distributions Chris Piech CS109, Stanford University

Three-dimensional systems with spherical symmetry

7.1 Integral as Net Change Calculus. What is the total distance traveled? What is the total displacement?

COSC 3361 Numerical Analysis I Numerical Integration and Differentiation (III) - Gauss Quadrature and Adaptive Quadrature

Gauss Law. Physics 231 Lecture 2-1

Compact and Unforgeable Key Establishment over an ATM Network

Transcription:

Lectue 14 Potocols 1 Key Distiution Cente (KDC) o Tusted Thid Pty (TTP) KDC genetes R1 lice otins R1 Msg1: K () Msg2: K (R1 K (R1) ) Msg3: K (R1) o otins R1 nd knows to use s key fo communicting with lice lice nd o communicte using R1 s shot-tem (session) key fo encyption nd/ o dt integity Note: Msg2 is not tied to Msg1 Msg1 is possily old Msg2 is possily old nd so is Msg3 2 o nd lice don t uthenticte ech othe! 1

Typicl Key Distiution Scenio KDC (1) Request N 1 (2) E K [K s Request N 1 E K (K s )] (3) E K [K s ] (4) E Ks [N 2 ] (5) E Ks [f(n 2 )] Notes: Msg2 is tied to Msg1 Msg2 is fesh/new Msg3 is possily old * Msg1 is possily old (KDC doesn t uthenticte lice) o uthentictes lice o uthentictes KDC lice DOES NOT uthenticte o (ecll discussion in clss) 3 Pulic Key Distiution Genel schemes: Pulic nnouncement (e.g. in newsgoup o emil messge) Cn e foged Pulicly ville diectoy Cn e tmpeed with Pulic-key cetifictes (PKCs) issued y tusted off-line Cetifiction uthoities (Cs) 4 2

Cetifiction uthoities Cetifiction uthoity (C): inds pulic key to specific entity Ech entity (use host etc.) egistes its pulic key with C. o povides poof of identity to C. C cetes cetificte inding o to this pulic key. cetificte contining o s pulic key digitlly signed y C: C sys: this is o s pulic key o s pulic key o s identifying infomtion PK digitl signtue C pivte key SK C PK cetificte fo o s pulic key signed y C 5 Cetifiction uthoities When lice wnts to get o s pulic key: get o s cetificte (fom o o elsewhee). using C s pulic key veify the signtue on o s cetificte check fo expition check fo evoction (we ll tlk out this lte) extct o s pulic key PK digitl signtue PK o s pulic key C pulic key PK C 6 3

Cetificte Contins Seil nume (unique to issue) info out cetificte owne including lgoithm nd key vlue itself (not shown) info out cetificte issue vlid dtes digitl signtue y issue 7 ck to potocols 8 4

Needhm-Schoede Potocol (1978): 1 st distiuted secuity potocol 1.! T: N 2. T! : {N K {K } K } K 3.! : {K } K KDC 4.! : {N } K 1 2 lice 5.! : {N -1} K 3 4 5 o 9 Secuity? Denning-Scco ttck: suppose Eve ecoded n old session fo which session key K is known to he: 1. " T: N 2. T " : {N K {K } K } K 3. " : {K } K ----------------------------------------------------- t lte time: 1. E " : {K } K 2. " E: {N } K 3. E " : {N -1} K 10 5

Fixing the ttck o hs no guntees out the feshness of the messge in step 3. Eve exploits this to impesonte lice to o - old session keys e useful. Cn e fixed y dding timestmps: limits usefulness of old session keys Eve s ttck ecomes: 3: E! : {K T } K ttck is now thwted ecuse T is stle 11 PK-sed Needhm-Schoede potocol 1.{} 2.{PK } SKT KDC TTP 5.{PK } SKT 4.{} lice 3. [N ] PK 6. [N N ] PK o 7. [N ] PK CERT = Messge 2 CERT = Messge 5 PK : lice s pulic key PK : o s pulic key SK T : TTP s secet (pivte) key used fo signing Eveyone knows TTP s pulic key PK T 12 6

nothe ttck 1 2 4 5: Delivey of pulic key Does not guntee feshness of the pulic key How to solve it? Timestmp in messges 2 nd 5 o chllenges in messges 1&2 nd 4&5 Pulic Key Cetificte: ssign expition time/ dt to ech cetificte (messges 2 nd 5) 13 PK-sed Denning-Scco ttck 1. KDC TTP Cet ={PK } SK T Cet ={PK } SK T Cet C ={PK C C} SK T 2. Cet Cet lice 3. Cet Cet [ {K T } SK ] PK 4. Secue communiction with K o Thinks she is tlking to C Petends to e 3. Cet Cet C [ {K T } ] SK PK C 4. Secue communiction with K o 14 7

Lowe s ttck (Impesontion y inteleving) Oiginl 3. : [N ] PK 6. : [N N ] PK 7. : [N ] PK ttck E plys : 1.3. E: [N ] PKe 2.3. E : [N ] PK 2.6. E: [N N ] PK 1.6. E : [N N ] PK Fix 3. : [N ] PK 1.7. E: [N ] PKe 2.7. E : [N ] PK 6. : [ N N ] PK 7. : [N ] PK 15 PK-sed Needhm-Schoede potocol 1.{} 2.{PK } SKT KDC TTP 5.{PK } SKT 4.{} lice 3. [N ] PK 6. [N N ] PK o 7. [N ] PK 16 8

Reflection ttck nd fix Oiginl potocol 1. : 2. : { } K 3. : ttck 1. E : 2. E : : Stting new session 3. E : { } K : Reply to (2) 4. E : { } K : Reply to (1) 5. E : Solutions? Use 2 diffeent uni-diecionl keys k (!) nd k (!) Remove symmety (diection msg identifies) 17 Inteleving ttcks Potocol fo mutul uthentiction 1. : 2. : { } SK 3. : { } SK ttck 1. E : 2. E : { } SK 3. E : 4. E : { } SK 5. E : { } SK ttck due to symmetic messges (2) (3) 18 9

Lessons lened? Designing secue potocols is hd. Thee e mny documented filues in the litetue. Good potocols e ledy stnddized (e.g. ISO 9798 X.509 ) use them! The polem of veifying secuity gets much hde s potocols get moe complex (moe pties messges ounds) 19 If inteested in knowing moe ed the ppe: Pogmming Stn s Compute y ndeson nd Needhm ville t: http://www.cl.cm.c.uk/~j14/ppes/stn.pdf 20 10

Some Secue Potocol exmples 21 uthenticted Pulic-Key-sed Key Exchnge (Sttion-to-Sttion o STS Potocol) Choose ndom v Compute v K = ( y ) mod p SIG = { y y } lice lice y v = mod p CERT y SIG o CERT lice SIG lice o Choose ndom w Compute w K = ( y ) mod p w y = mod p SIG = { y y } o o 22 11

12 23 x.509 uthentiction & Key Distiution Potocols SK PK K othe t } ] [ {2 SK PK K othe t } ] [ {2 SK PK K othe t } ] [ {1 SK PK K othe t } ] [ {3 SK PK K othe t } ] [ {3 SK } {3 One-wy! Two-wy! Tee-wy "!

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback