Certified Security Proofs of Cryptographic Protocols in the Computational Model : an Application to Intrusion Resilience
|
|
- Spencer Baker
- 8 years ago
- Views:
Transcription
1 Certified Security Proofs of Cryptographic Protocols in the Computational Model : an Application to Intrusion Resilience Pierre Corbineau Mathilde Duclos Yassine Lakhnech Université de Grenoble, CNRS Verimag, Grenoble, France December 9th 2011
2 Introduction We report on A formalization in Coq of CIL: Computational Indistinguishability Logic [CCS 10] a logic for proving correctness of cryptographic systems in the complexity-theoric model; and its application to prove correctness of an intrusient-resilient key-exchange protocol - a non-trivial protocol in a model that goes beyond the black box model.
3 Security Protocols are rules for exchanging messages ensure secure communication on an open network in the presence of adversaries applications: ATM, e-commerce, electronic vote or contract signing, etc. of particular importance: authenticated key-exchange protocols Confidentiality: key is indistinguishable from a random key Authentication: in a presence of a passive adversary, two legitimate partners engaged in a session compute the same key.
4 Motivation Cryptographers develop proofs in the complexity-theoretic (computational) model: System: a set of randomized oracles, called oracle system. Adversary: any randomized machine with access to the oracles. She tries to answer a question. Correctness: a bound on the probability that the adversary answers correctly depending on the ressources of the adversary, both in terms of computation and number of calls to the oracles. Black-Box model does not give any extra information on the internal state of the oracle system. I.e., view of the adversary is the interaction. Non-black-box: some information about the internal state of the oracles.
5 State of affairs Many flawed security proofs in the literature: Asiacrypt 05: Jackobson-Pointcheval 01, Wong-Chan 01, Abdalla-Pointcheval 05, Bellare-Canetti-Krawczyck 98, Bellare-Rogaway s OAEP,... Adhoc definitions of properties. Proofs are adhoc, untrustable,... Many models that depend on the properties, cryptographic primitives, strength of the adversary, etc... Can Formal Methods offer something? Our research program: Computer-aided Formal Proofs in the complexity-theoretic approach
6 Outline 1 CIL in Coq Oracle systems Adversary Indistinguishability and Contexts 2 Dziembowski s intrusion resilient protocol Intrusion-Resilient Key Generation Protocol Proof in CIL of the Key Generation Protocol
7 Outline 1 CIL in Coq Oracle systems Adversary Indistinguishability and Contexts 2 Dziembowski s intrusion resilient protocol Intrusion-Resilient Key Generation Protocol Proof in CIL of the Key Generation Protocol
8 Oracles and signatures Cryptographic systems are modeled as oracle systems. Each oracle has : A name of type oracle_name An input type and an output type An implementation complying with this signature and the internal state of the system Record oracle_signature := mkos { oracle_name : Type; oracle_input: oracle_name -> Type; oracle_output: oracle_name -> Type.} Definition oracle_fun (input:type) (output:type) := input * State -> distr (output * State). Variable os : oracle_signature. Definition oracle_functions := forall name, oracle_fun (oracle_input os name) (oracle_output os name).
9 Adversary model An adversary interacts with the oracle system by sending queries. D e f i n i t i o n run_function state A := state - > distr ( Response state A). A response can be : a request of an oracle call a final value to be returned I n d u c t i v e Response state A := Request : f o r a l l ( name : oracle_name os), ( oracle_ input os name ) - > ( oracle_ output os name - > state ) -> Response state A Return : A -> Response state A.
10 Indistinguishability Indistinguishablity between two oracles systems: A, O 1 k,ɛ O 2 ( O.P (A O) ( ) = 1) ( O, o.p (A O) (# o > k o ) = 0) P(A O1 )(answer = true) P (A O2 )(answer = true) ɛ Definition indistinguishable (f1:frame os State) (f2:frame os State2) (call_bound:oracle_name os -> nat) (epsilon:u):= forall (att:attack _ bool), at_most_calls att call_bound -> diff (outcome f1 att (True_ev _)) (outcome f2 att (True_ev _)) <= epsilon.
11 Contexts Adversary Context Oracle System Adversary Context Simulator Oracle System σ C[O] σ O σ O Adv state m A Context state m c Oracle state m Adversary extended state < m A, m c > Oracle state m
12 Other CIL Rules Some other rules are based upon forward bisimulation, backward bisimulation, determinization... hand proofs in CIL: FDH, PSS, ElGamal, OAEP,... a general theorem for verifying iterative hash designs applied to many Sha-3 candidates (Ph.D. Thesis M. Daubignard).
13 Outline 1 CIL in Coq Oracle systems Adversary Indistinguishability and Contexts 2 Dziembowski s intrusion resilient protocol Intrusion-Resilient Key Generation Protocol Proof in CIL of the Key Generation Protocol
14 Intrusion Resilience in Black-Box Model? Motivation: the black box model has its limits: does not cover side-channel attacks nor intrusive attacks there is a need to design cryptographic protocols resilient to intrusion (viruses). Aim: secure protocols in the presence of viruses.
15 Intrusion Resilience in Black-Box Model? Motivation: the black box model has its limits: does not cover side-channel attacks nor intrusive attacks there is a need to design cryptographic protocols resilient to intrusion (viruses). Aim: secure protocols in the presence of viruses. The Bounded Storage Memory model (from [Mau92]): a virus can be any computation that has no limit on its computation time and memory but whose output is limited in size. Intuition: outputting large data can easily be revealed.
16 Intrusion Resilient Key Generation Protocol Scheme is from [Dzi06]. Alice N a Bob S a def N b = H(f (K, N a, N b )) S b pk a, mac S (pk a ) ε pka (κ i ), mac S (ε pka (κ i )) check mac π 0 def = H(f (K, N a, N b )) κ i check mac R {0, 1} δ(k) π 1 K: a large random key. f : a random extractor. H: a random hash function.
17 An Example of an Oracle Formalization Definition o_bob_nonce_sender : oracle_fun State (input_type Bob_nonce_sender) (output_type Bob_nonce_sender) := fun e => match Bflags (snd e) with Bob_start => let n := Brnd_nonce (Brnds (snd e)) in let s := (long_term_key (snd e) (fst e) n) in mlet hashs := o_h (s,snd e) in let (K,LH,As,_,Ar,Br,v) := snd hashs in!(n,mks K LH As (Bob_middle (fst hashs)) Ar Br v) _ =>!(nul_string,snd e) end.
18 Idealized Protocol Alice if pass. adver. then S a := S b else S a R D H N a N b S b Bob R D H π 0 pk a, mac S (pk a ) κ i check mac R {0, 1} δ(k) check mac ε pka (0), mac S (ε pka (0)) π 1 κ A i := κ i S is independent from N A, N B ; κ i never sent over the network.
19 Attack Model Adversary can observe and corrupt several sessions. Sequential (no concurrent sessions). Chooses an uncorrupted session to be challenged on.
20 Proof Sketch O π O π id = = C π0 [O π1 ] C π id [O 0 π id ] 1 O π1 O π id = = O π0 O 1 π id 0 = = C π0 [O π id ] 1 = C π id [O π0 ] 1 = = C εpk ( ) [O MAC ] C MAC id [O ε (0) ] pk C H [O K ] C H [O U ] C εpk ( ) [O MAC id ] = C MAC id [O ε ( ) ] pk O K O U O MAC id O MAC O εpk ( ) O ε (0) pk π 0 : first part of the protocol π 1 : second part of the protocol
21 Focus on π 1 π id 1 π 1 π id 1
22 Focus on π 1 π id 1 π 1 π id 1 = = C εsk ( )[MAC] C MAC id [ε sk (0)]
23 Focus on π 1 π id 1 π 1 π1 id = = C εsk ( )[MAC] C MAC id [ε sk (0)] C εsk ( )[MAC id ] = C MAC id [ε sk ( )]
24 Focus on π 1 π id 1 π 1 π1 id = = C εsk ( )[MAC] C MAC id [ε sk (0)] C εsk ( )[MAC id ] = C MAC id [ε sk ( )] MAC id MAC ε pk ( ) ε pk (0)
25 Conclusion In this work, we have: demonstrated the usability of CIL s formalization in Coq to prove intrusion resilience of a non-trivial key-exchange protocol To our knowledge, the first formal proof of a scheme in the non-black-box model The first formal proof of a protocol in the concrete security model. Related Work: Formal verification of cryptographic schemes: Indistinguishability logics: Impaglazzio and Kapron (2006); Datta et. al. (2006); Zhang (2008)... Certicrypt, Easycrypt - SCALP Project
26 Future Work other examples: group key exchange protocols,... use decision procedures for higher automatization bisimilation, probability bounds,... improve the tactics to minimize the user s goals to non-trivial proofs, design a tool that builds the Coq formalization of a cryptographic scheme from a protocol description, and the trivial parts of the proof.
27 References S. Dziembowski. Intrusion-resilience via the bounded-storage model. Lecture Notes in Computer Science, 3876:207, U.M. Maurer. Conditionally-perfect secrecy and a provably-secure randomized cipher. Journal of Cryptology, 5(1):53 66, 1992.
Non-Black-Box Techniques In Crytpography. Thesis for the Ph.D degree Boaz Barak
Non-Black-Box Techniques In Crytpography Introduction Thesis for the Ph.D degree Boaz Barak A computer program (or equivalently, an algorithm) is a list of symbols a finite string. When we interpret a
More informationMTAT.07.003 Cryptology II. Digital Signatures. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Digital Signatures Sven Laur University of Tartu Formal Syntax Digital signature scheme pk (sk, pk) Gen (m, s) (m,s) m M 0 s Sign sk (m) Ver pk (m, s)? = 1 To establish electronic
More informationIntroduction to Cryptography CS 355
Introduction to Cryptography CS 355 Lecture 30 Digital Signatures CS 355 Fall 2005 / Lecture 30 1 Announcements Wednesday s lecture cancelled Friday will be guest lecture by Prof. Cristina Nita- Rotaru
More informationSecure Reactive Systems
Michael Backes Saarland University, Germany joint work with Birgit Pfitzmann and Michael Waidner Secure Reactive Systems Lecture at Tartu U, 02/27/06 Building Systems on Open Networks E-Government Hospital
More informationLecture 15 - Digital Signatures
Lecture 15 - Digital Signatures Boaz Barak March 29, 2010 Reading KL Book Chapter 12. Review Trapdoor permutations - easy to compute, hard to invert, easy to invert with trapdoor. RSA and Rabin signatures.
More informationOutline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures
Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike
More informationIntroduction. Digital Signature
Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology
More informationComputational Soundness of Symbolic Security and Implicit Complexity
Computational Soundness of Symbolic Security and Implicit Complexity Bruce Kapron Computer Science Department University of Victoria Victoria, British Columbia NII Shonan Meeting, November 3-7, 2013 Overview
More informationThe MAC In The Box Project
The MAC In The Box Project Michael J. C. Gordon, Robert Künnemann and Graham Steel 1 password databases attack bank email etc. 2 password databases attack bank email etc. 2 password databases attack bank
More informationLecture 9 - Message Authentication Codes
Lecture 9 - Message Authentication Codes Boaz Barak March 1, 2010 Reading: Boneh-Shoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,
More informationKEY DISTRIBUTION: PKI and SESSION-KEY EXCHANGE. Mihir Bellare UCSD 1
KEY DISTRIBUTION: PKI and SESSION-KEY EXCHANGE Mihir Bellare UCSD 1 The public key setting Alice M D sk[a] (C) Bob pk[a] C C $ E pk[a] (M) σ $ S sk[a] (M) M, σ Vpk[A] (M, σ) Bob can: send encrypted data
More information1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.
1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks
More informationCapture Resilient ElGamal Signature Protocols
Capture Resilient ElGamal Signature Protocols Hüseyin Acan 1, Kamer Kaya 2,, and Ali Aydın Selçuk 2 1 Bilkent University, Department of Mathematics acan@fen.bilkent.edu.tr 2 Bilkent University, Department
More informationVoteID 2011 Internet Voting System with Cast as Intended Verification
VoteID 2011 Internet Voting System with Cast as Intended Verification September 2011 VP R&D Jordi Puiggali@scytl.com Index Introduction Proposal Security Conclusions 2. Introduction Client computers could
More informationDigital Signatures. Murat Kantarcioglu. Based on Prof. Li s Slides. Digital Signatures: The Problem
Digital Signatures Murat Kantarcioglu Based on Prof. Li s Slides Digital Signatures: The Problem Consider the real-life example where a person pays by credit card and signs a bill; the seller verifies
More informationMESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC
MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial
More information1 Message Authentication
Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions
More informationLecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads
CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs
More informationAuthenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre
Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre Some slides were also taken from Chanathip Namprempre's defense
More information1 Construction of CCA-secure encryption
CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong 10 October 2012 1 Construction of -secure encryption We now show how the MAC can be applied to obtain a -secure encryption scheme.
More informationIdentity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks
Identity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks Tsz Hon Yuen - Huawei, Singapore Ye Zhang - Pennsylvania State University, USA Siu Ming
More informationDigital Signatures. What are Signature Schemes?
Digital Signatures Debdeep Mukhopadhyay IIT Kharagpur What are Signature Schemes? Provides message integrity in the public key setting Counter-parts of the message authentication schemes in the public
More informationOn Generating the Initial Key in the Bounded-Storage Model
On Generating the Initial Key in the Bounded-Storage Model Stefan Dziembowski Institute of Informatics, Warsaw University Banacha 2, PL-02-097 Warsaw, Poland, std@mimuw.edu.pl Ueli Maurer Department of
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 02 Overview on Modern Cryptography
More informationDIGITAL SIGNATURES 1/1
DIGITAL SIGNATURES 1/1 Signing by hand COSMO ALICE ALICE Pay Bob $100 Cosmo Alice Alice Bank =? no Don t yes pay Bob 2/1 Signing electronically Bank Internet SIGFILE } {{ } 101 1 ALICE Pay Bob $100 scan
More informationDigital Signatures. Prof. Zeph Grunschlag
Digital Signatures Prof. Zeph Grunschlag (Public Key) Digital Signatures PROBLEM: Alice would like to prove to Bob, Carla, David,... that has really sent them a claimed message. E GOAL: Alice signs each
More informationLength extension attack on narrow-pipe SHA-3 candidates
Length extension attack on narrow-pipe SHA-3 candidates Danilo Gligoroski Department of Telematics, Norwegian University of Science and Technology, O.S.Bragstads plass 2B, N-7491 Trondheim, NORWAY danilo.gligoroski@item.ntnu.no
More information1 Signatures vs. MACs
CS 120/ E-177: Introduction to Cryptography Salil Vadhan and Alon Rosen Nov. 22, 2006 Lecture Notes 17: Digital Signatures Recommended Reading. Katz-Lindell 10 1 Signatures vs. MACs Digital signatures
More informationAdversary Modelling 1
Adversary Modelling 1 Evaluating the Feasibility of a Symbolic Adversary Model on Smart Transport Ticketing Systems Authors Arthur Sheung Chi Chan, MSc (Royal Holloway, 2014) Keith Mayes, ISG, Royal Holloway
More informationNon-interactive and Reusable Non-malleable Commitment Schemes
Non-interactive and Reusable Non-malleable Commitment Schemes Ivan Damgård a Jens Groth b June 16, 2003 Abstract We consider non-malleable (NM) and universally composable (UC) commitment schemes in the
More informationProof of Freshness: How to efficiently use an online single secure clock to secure shared untrusted memory.
Proof of Freshness: How to efficiently use an online single secure clock to secure shared untrusted memory. Marten van Dijk, Luis F. G. Sarmenta, Charles W. O Donnell, and Srinivas Devadas MIT Computer
More informationTalk announcement please consider attending!
Talk announcement please consider attending! Where: Maurer School of Law, Room 335 When: Thursday, Feb 5, 12PM 1:30PM Speaker: Rafael Pass, Associate Professor, Cornell University, Topic: Reasoning Cryptographically
More informationCryptosystems. Bob wants to send a message M to Alice. Symmetric ciphers: Bob and Alice both share a secret key, K.
Cryptosystems Bob wants to send a message M to Alice. Symmetric ciphers: Bob and Alice both share a secret key, K. C= E(M, K), Bob sends C Alice receives C, M=D(C,K) Use the same key to decrypt. Public
More informationDemocratic Group Signatures on Example of Joint Ventures
Democratic Group Signatures on Example of Joint Ventures Mark Manulis Horst-Görtz Institute Ruhr-University of Bochum D-44801, Germany EMail: mark.manulis@rub.de Abstract. In the presence of economic globalization
More informationSchnorr Signcryption. Combining public key encryption with Schnorr digital signature. Laura Savu, University of Bucharest, Romania
Schnorr Signcryption Combining public key encryption with Schnorr digital signature Laura Savu, University of Bucharest, Romania IT Security for the Next Generation European Cup, Prague 17-19 February,
More informationSecurity Analysis of PLAID
Security Analysis of PLAID Dai Watanabe 1 Yokoyama Laboratory, Hitachi, Ltd., 292 Yoshida-cho, Totsuka-ku, Yokohama, 244-0817, Japan dai.watanabe.td@hitachi.com Abstract. PLAID is a mutual authentication
More informationPractice Questions. CS161 Computer Security, Fall 2008
Practice Questions CS161 Computer Security, Fall 2008 Name Email address Score % / 100 % Please do not forget to fill up your name, email in the box in the midterm exam you can skip this here. These practice
More informationHow To Protect Your Data From Attack
Security in Communication Networks Lehrstuhl für Informatik 4 RWTH Aachen Prof. Dr. Otto Spaniol Dr. rer. nat. Dirk Thißen Page 1 Organization Lehrstuhl für Informatik 4 Lecture Lecture takes place on
More informationCryptoVerif Tutorial
CryptoVerif Tutorial Bruno Blanchet INRIA Paris-Rocquencourt bruno.blanchet@inria.fr November 2014 Bruno Blanchet (INRIA) CryptoVerif Tutorial November 2014 1 / 14 Exercise 1: preliminary definition SUF-CMA
More informationlundi 1 octobre 2012 In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal
Symmetric Crypto Pierre-Alain Fouque Birthday Paradox In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal N=365, about 23 people are
More informationCryptography & Network Security
Cryptography & Network Security Lecture 1: Introduction & Overview 2002. 3. 27 chlim@sejong.ac.kr Common Terms(1) Cryptography: The study of mathematical techniques related to aspects of information security
More informationSimulation-Based Security with Inexhaustible Interactive Turing Machines
Simulation-Based Security with Inexhaustible Interactive Turing Machines Ralf Küsters Institut für Informatik Christian-Albrechts-Universität zu Kiel 24098 Kiel, Germany kuesters@ti.informatik.uni-kiel.de
More informationCryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs
Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Enes Pasalic University of Primorska Koper, 2014 Contents 1 Preface 3 2 Problems 4 2 1 Preface This is a
More informationCertificate Based Signature Schemes without Pairings or Random Oracles
Certificate Based Signature Schemes without Pairings or Random Oracles p. 1/2 Certificate Based Signature Schemes without Pairings or Random Oracles Joseph K. Liu, Joonsang Baek, Willy Susilo and Jianying
More informationDigital Identity Management
Digital Identity Management Techniques and Policies E. Bertino CS Department and ECE School CERIAS Purdue University bertino@cs.purdue.edu Digital Identity Management What is DI? Digital identity (DI)
More informationHow to prove security of communication protocols?
1/37 Introduction on security protocols Modeling Verification Towards cryptographic guarantees How to prove security of communication protocols? Véronique Cortier, LORIA - CNRS, Nancy Colloquium Morgenstern,
More informationThe Exact Security of Digital Signatures How to Sign with RSA and Rabin
Appears in Advances in Cryptology Eurocrypt 96 Proceedings, Lecture Notes in Computer Science Vol. 1070, U. Maurer ed., Springer-Verlag, 1996. The Exact Security of Digital Signatures How to Sign with
More informationSecurity/Privacy Models for "Internet of things": What should be studied from RFID schemes? Daisuke Moriyama and Shin ichiro Matsuo NICT, Japan
Security/Privacy Models for "Internet of things": What should be studied from RFID schemes? Daisuke Moriyama and Shin ichiro Matsuo NICT, Japan 1 Internet of Things (IoT) CASAGRAS defined that: A global
More informationOutline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg
Outline CSc 466/566 Computer Security 8 : Cryptography Digital Signatures Version: 2012/02/27 16:07:05 Department of Computer Science University of Arizona collberg@gmail.com Copyright c 2012 Christian
More informationAuthentication requirement Authentication function MAC Hash function Security of
UNIT 3 AUTHENTICATION Authentication requirement Authentication function MAC Hash function Security of hash function and MAC SHA HMAC CMAC Digital signature and authentication protocols DSS Slides Courtesy
More informationA Method for Making Password-Based Key Exchange Resilient to Server Compromise
A Method for Making Password-Based Key Exchange Resilient to Server Compromise Craig Gentry 1, Philip MacKenzie 2, and Zulfikar Ramzan 3 1 Stanford University, Palo Alto, CA, USA, cgentry@cs.stanford.edu
More informationCryptography and Network Security: Summary
Cryptography and Network Security: Summary Timo Karvi 12.2013 Timo Karvi () Cryptography and Network Security: Summary 12.2013 1 / 17 Summary of the Requirements for the exam The advices are valid for
More informationAuthenticated encryption
Authenticated encryption Dr. Enigma Department of Electrical Engineering & Computer Science University of Central Florida wocjan@eecs.ucf.edu October 16th, 2013 Active attacks on CPA-secure encryption
More informationComputer Science 308-547A Cryptography and Data Security. Claude Crépeau
Computer Science 308-547A Cryptography and Data Security Claude Crépeau These notes are, largely, transcriptions by Anton Stiglic of class notes from the former course Cryptography and Data Security (308-647A)
More informationNetwork Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering
Network Security Gaurav Naik Gus Anderson, Philadelphia, PA Lectures on Network Security Feb 12 (Today!): Public Key Crypto, Hash Functions, Digital Signatures, and the Public Key Infrastructure Feb 14:
More informationSecurity Analysis of DRBG Using HMAC in NIST SP 800-90
Security Analysis of DRBG Using MAC in NIST SP 800-90 Shoichi irose Graduate School of Engineering, University of Fukui hrs shch@u-fukui.ac.jp Abstract. MAC DRBG is a deterministic random bit generator
More informationIntroduction to Computer Security
Introduction to Computer Security Hash Functions and Digital Signatures Pavel Laskov Wilhelm Schickard Institute for Computer Science Integrity objective in a wide sense Reliability Transmission errors
More informationSymmetric Crypto MAC. Pierre-Alain Fouque
Symmetric Crypto MAC Pierre-Alain Fouque Birthday Paradox In a set of D elements, by picking at random D elements, we have with high probability a collision two elements are equal D=365, about 23 people
More informationNetwork Security. Computer Networking Lecture 08. March 19, 2012. HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23
Network Security Computer Networking Lecture 08 HKU SPACE Community College March 19, 2012 HKU SPACE CC CN Lecture 08 1/23 Outline Introduction Cryptography Algorithms Secret Key Algorithm Message Digest
More informationLecture 1: Introduction. CS 6903: Modern Cryptography Spring 2009. Nitesh Saxena Polytechnic University
Lecture 1: Introduction CS 6903: Modern Cryptography Spring 2009 Nitesh Saxena Polytechnic University Outline Administrative Stuff Introductory Technical Stuff Some Pointers Course Web Page http://isis.poly.edu/courses/cs6903-s10
More informationTrading Static for Adaptive Security in Universally Composable Zero-Knowledge
Trading Static for Adaptive Security in Universally Composable Zero-Knowledge Aggelos Kiayias and Hong-Sheng Zhou Computer Science and Engineering University of Connecticut Storrs, CT, USA {aggelos,hszhou}@cse.uconn.edu
More informationEfficient Unlinkable Secret Handshakes for Anonymous Communications
보안공학연구논문지 (Journal of Security Engineering), 제 7권 제 6호 2010년 12월 Efficient Unlinkable Secret Handshakes for Anonymous Communications Eun-Kyung Ryu 1), Kee-Young Yoo 2), Keum-Sook Ha 3) Abstract The technique
More informationAn Overview of Common Adversary Models
An Overview of Common Adversary Karl Palmskog palmskog@kth.se 2012-03-29 Introduction Requirements of Software Systems 1 Functional Correctness: partial, termination, liveness, safety,... 2 Nonfunctional
More informationModular Security Proofs for Key Agreement Protocols
Modular Security Proofs for Key Agreement Protocols Caroline Kudla and Kenneth G. Paterson Information Security Group Royal Holloway, niversity of London, K {c.j.kudla,kenny.paterson}@rhul.ac.uk Abstract.
More informationHash Functions. Integrity checks
Hash Functions EJ Jung slide 1 Integrity checks Integrity vs. Confidentiality! Integrity: attacker cannot tamper with message! Encryption may not guarantee integrity! Intuition: attacker may able to modify
More informationCryptographic Hash Functions Message Authentication Digital Signatures
Cryptographic Hash Functions Message Authentication Digital Signatures Abstract We will discuss Cryptographic hash functions Message authentication codes HMAC and CBC-MAC Digital signatures 2 Encryption/Decryption
More informationOne-Way Encryption and Message Authentication
One-Way Encryption and Message Authentication Cryptographic Hash Functions Johannes Mittmann mittmann@in.tum.de Zentrum Mathematik Technische Universität München (TUM) 3 rd Joint Advanced Student School
More informationClient Server Registration Protocol
Client Server Registration Protocol The Client-Server protocol involves these following steps: 1. Login 2. Discovery phase User (Alice or Bob) has K s Server (S) has hash[pw A ].The passwords hashes are
More informationSignature Schemes. CSG 252 Fall 2006. Riccardo Pucella
Signature Schemes CSG 252 Fall 2006 Riccardo Pucella Signatures Signatures in real life have a number of properties They specify the person responsible for a document E.g. that it has been produced by
More informationCompiling CAO: from Cryptographic Specifications to C Implementations
Compiling CAO: from Cryptographic Specifications to C Implementations Manuel Barbosa David Castro Paulo Silva HASLab/INESC TEC Universidade do Minho Braga, Portugal April 8, 2014 Grenoble Motivation Developing
More informationAnalysis of Key-Exchange Protocols and Their Use for Building Secure Channels
Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels Ran Canetti 1 and Hugo Krawczyk 2, 1 IBM T.J. Watson Research Center, Yorktown Heights, New York 10598. canetti@watson.ibm.com
More informationCryptography Lecture 8. Digital signatures, hash functions
Cryptography Lecture 8 Digital signatures, hash functions A Message Authentication Code is what you get from symmetric cryptography A MAC is used to prevent Eve from creating a new message and inserting
More informationCUNSHENG DING HKUST, Hong Kong. Computer Security. Computer Security. Cunsheng DING, HKUST COMP4631
Cunsheng DING, HKUST Lecture 08: Key Management for One-key Ciphers Topics of this Lecture 1. The generation and distribution of secret keys. 2. A key distribution protocol with a key distribution center.
More informationSecure Computation Without Authentication
Secure Computation Without Authentication Boaz Barak 1, Ran Canetti 2, Yehuda Lindell 3, Rafael Pass 4, and Tal Rabin 2 1 IAS. E:mail: boaz@ias.edu 2 IBM Research. E-mail: {canetti,talr}@watson.ibm.com
More informationProposal for a Graduate Certificate in Information Assurance Education Track 2. Submitted. by the. School of Technology West Lafayette Campus
Graduate Council Document 03-24a Approved by the Graduate Council 11/20/03 Proposal for a Graduate Certificate in Information Assurance Education Track 2 Submitted by the School of Technology West Lafayette
More information1 Domain Extension for MACs
CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Reading. Lecture Notes 17: MAC Domain Extension & Digital Signatures Katz-Lindell Ÿ4.34.4 (2nd ed) and Ÿ12.0-12.3 (1st ed).
More informationOverview of Public-Key Cryptography
CS 361S Overview of Public-Key Cryptography Vitaly Shmatikov slide 1 Reading Assignment Kaufman 6.1-6 slide 2 Public-Key Cryptography public key public key? private key Alice Bob Given: Everybody knows
More informationLecture 5 - CPA security, Pseudorandom functions
Lecture 5 - CPA security, Pseudorandom functions Boaz Barak October 2, 2007 Reading Pages 82 93 and 221 225 of KL (sections 3.5, 3.6.1, 3.6.2 and 6.5). See also Goldreich (Vol I) for proof of PRF construction.
More informationEasyCrypt - Lecture 6 Overview and perspectives. Tuesday November 25th
EasyCrypt - Lecture 6 Overview and perspectives Tuesday November 25th EasyCrypt - Lecture 6 Case studies Verified implementations Automated proofs and synthesis Perspectives 2 Inventaire à la Prevert Examples
More informationComparison of CBC MAC Variants and Comments on NIST s Consultation Paper
Comparison of CBC MAC Variants and Comments on NIST s Consultation Paper Tetsu Iwata Department of Computer and Information Sciences, Ibaraki University 4 12 1 Nakanarusawa, Hitachi, Ibaraki 316-8511,
More informationCIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives
CIS 6930 Emerging Topics in Network Security Topic 2. Network Security Primitives 1 Outline Absolute basics Encryption/Decryption; Digital signatures; D-H key exchange; Hash functions; Application of hash
More informationNew Efficient Searchable Encryption Schemes from Bilinear Pairings
International Journal of Network Security, Vol.10, No.1, PP.25 31, Jan. 2010 25 New Efficient Searchable Encryption Schemes from Bilinear Pairings Chunxiang Gu and Yuefei Zhu (Corresponding author: Chunxiang
More informationComputer Security: Principles and Practice
Computer Security: Principles and Practice Chapter 20 Public-Key Cryptography and Message Authentication First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Public-Key Cryptography
More informationCS 758: Cryptography / Network Security
CS 758: Cryptography / Network Security offered in the Fall Semester, 2003, by Doug Stinson my office: DC 3122 my email address: dstinson@uwaterloo.ca my web page: http://cacr.math.uwaterloo.ca/~dstinson/index.html
More informationChapter 12. Digital signatures. 12.1 Digital signature schemes
Chapter 12 Digital signatures In the public key setting, the primitive used to provide data integrity is a digital signature scheme. In this chapter we look at security notions and constructions for this
More informationCh.9 Cryptography. The Graduate Center, CUNY.! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis
Ch.9 Cryptography The Graduate Center, CUNY! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis Why is Modern Cryptography part of a Complexity course? Short answer:! Because Modern Cryptography
More informationSECURITY ANALYSIS OF A SINGLE SIGN-ON MECHANISM FOR DISTRIBUTED COMPUTER NETWORKS
SECURITY ANALYSIS OF A SINGLE SIGN-ON MECHANISM FOR DISTRIBUTED COMPUTER NETWORKS Abstract: The Single sign-on (SSO) is a new authentication mechanism that enables a legal user with a single credential
More informationPrivacy in Deniable Anonymous Concurrent Authentication with Setup is Impossible
Privacy in Deniable Anonymous Concurrent Authentication with Setup is Impossible Do we Care? Serge Vaudenay ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE http://lasecwwwepflch/ SV do we care? Newton 2012 1
More informationInformation Security Basic Concepts
Information Security Basic Concepts 1 What is security in general Security is about protecting assets from damage or harm Focuses on all types of assets Example: your body, possessions, the environment,
More informationQ: Why security protocols?
Security Protocols Q: Why security protocols? Alice Bob A: To allow reliable communication over an untrusted channel (eg. Internet) 2 Security Protocols are out there Confidentiality Authentication Example:
More informationHow to Design a Successful One-Time Signature Scheme
CSCI-GA.3210-001 MATH-GA.2170-001 Introduction to Cryptography April 18, 2012 Lecture 13 Lecturer: Yevgeniy Dodis Spring 2012 This lecture is dedicated to constructions of digital signature schemes. Assuming
More informationA New and Efficient Signature on Commitment Values
International Journal of Network Security, Vol.7, No., PP.0 06, July 2008 0 A New and Efficient Signature on Commitment Values Fangguo Zhang,3, Xiaofeng Chen 2,3, Yi Mu 4, and Willy Susilo 4 (Corresponding
More informationChapter 7: Network security
Chapter 7: Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice: application layer: secure e-mail transport
More informationSSL A discussion of the Secure Socket Layer
www.harmonysecurity.com info@harmonysecurity.com SSL A discussion of the Secure Socket Layer By Stephen Fewer Contents 1 Introduction 2 2 Encryption Techniques 3 3 Protocol Overview 3 3.1 The SSL Record
More informationEfficient and Secure Authenticated Key Exchange Using Weak Passwords
Efficient and Secure Authenticated Key Exchange Using Weak Passwords Jonathan Katz Rafail Ostrovsky Moti Yung Abstract Mutual authentication and authenticated key exchange are fundamental techniques for
More informationLeakage-Resilient Authentication and Encryption from Symmetric Cryptographic Primitives
Leakage-Resilient Authentication and Encryption from Symmetric Cryptographic Primitives Olivier Pereira Université catholique de Louvain ICTEAM Crypto Group B-1348, Belgium olivier.pereira@uclouvain.be
More informationPORs: Proofs of Retrievability for Large Files
PORs: Proofs of Retrievability for Large Files Ari Juels RSA Laboratories Burt Kaliski EMC Innovation Network ACM CCS Conference, 2007 presented by Serkan Uzunbaz Source: www.rsa.com/rsalabs/node.asp?id=3357
More informationSecure Deduplication of Encrypted Data without Additional Servers
Secure Deduplication of Encrypted Data without Additional Servers Jian Liu Aalto University jian.liu@aalto.fi N. Asokan Aalto University and University of Helsinki asokan@acm.org Benny Pinkas Bar Ilan
More information