Lecture 7 Signature Schemes

About This Presentation

Title:

Lecture 7 Signature Schemes

Description:

Hash Function, Digital Signature & Public Key Infrastructure Review: Security Requirements In the context of communications across a network, the following attacks ... – PowerPoint PPT presentation

Number of Views:171

Avg rating:3.0/5.0

Slides: 135

Provided by: Uten134

Category:

more less

Transcript and Presenter's Notes

Title: Lecture 7 Signature Schemes

1
Hash Function, Digital Signature Public Key
Infrastructure
2
Review Security Requirements

In the context of communications across a
network, the following attacks can be identified
disclosure
traffic analysis
masquerade
content modification
sequence modification
timing modification
source repudiation
destination repudiation

Symmetric/Asymmetric cryptography
Generally regarded as Message Authentication
Come under the heading of digital signature
Require a combination of the use of digital
signature and protocol design
3
Review Security Services

Authentication Provides the assurance of
someones identity
Confidentiality Protects against disclosure to
unauthorized identities
Non-Repudiation Protects against communications
originator to later deny it
Integrity Protects from unauthorized data
alteration

4
Review Services, Mechanisms, Algorithms
A typical security protocol provides one or more
services
Services
SSL, IPSEC, TLS, SSH, etc...
Mechanisms
Signatures
Encryption
Hashing
Algorithms
DSA
RSA
RSA
DES
SHA
MD5
Services are built from Mechanisms Mechanisms are
implemented using Algorithms
5
Review Message Authentication
Message Authentication
Hash Function
Message Authentication Code
Message Encryption
6
Message Authentication Hash functions
7
Hash Functions

Can use for encryption, authentication and
digital signature.
Hash function accepts a variable-size message M
as input and produces
a fixed-size output, referred to as a hash
code H(M).
A cryptographic hash function h takes as input a
message or arbitrary
length and produces as output a message
digest of fixed length, for
example 160 bits as depicted in Figure.

8
Defining Hashing
If you were to give someone the number 1,765,335
and ask he/she to determine your original number,
it would be virtually impossible for he/she to
work backwards and derive to the original
number of 12,345. If you give her/him the
multiplier (143), she could easily determine the
original number.
Input Value
Multiplier
Formula
Result
12,345
143
Value Multiplier
1,765,335
Plaintext
Key
Algorithm
Ciphertext
9
A Practical Use of Hash Algorithm
Hashed value Store on card
123456 PIN entered on keypad
459384502392 123456 hashed
10
A Practical Use of Hash Algorithm
Hashed value Store on card
459384502392 123456 hashed
123456 PIN entered on keypad
Use Hashing Algorithm The hash value is based on
algorithm
Haval MD2 MD4 MD5 SHA Hash Functions (SHA-1,
SHA-2)
11
One-way HASH function
12
Hash Functions

Hash code does not use a key.
Hash code is a function only of the input
message.
Hash code is also referred to as a message
digest or hash value.
The hash code is a function of all the bits of
the message and provides
an error-detection capability.
A change to any bit or bits in the message
results in a change to the
hash code.

13
Hash Function Properties

a Hash Function produces a fingerprint of some
file/message/data
h H(M)
condenses a variable-length message M
to a fixed-sized fingerprint
assumed to be public

14
Requirements for Hash Functions

Purpose of the HASH function is to produce a
fingerprint.
Properties of a HASH function H
H can be applied to a block of data at any size
H produces a fixed length output
H(x) is easy to compute for any given x.
For any given block x, it is computationally
infeasible to find x such that H(x) h
One-way property
For any given block x, it is computationally
infeasible to find with H(y) H(x).
Weak collision resistance
It is computationally infeasible to find any pair
(x, y) such that H(x) H(y)
Strong collision resistance

15
Simple Hash Functions

are several proposals for simple functions
based on XOR of message blocks
not secure since can manipulate any message and
either not change hash or change hash also
need a stronger cryptographic function

16
Hash Functions Operations(In term of Hashing,
Signing, and Applications)

One useful application of hash functions is to
make signature schemes
more efficient.
The hash function is made public.
Starting with a message m, Alice calculates the
hash h(m). This output h(m)
is significantly smaller, and hence signing
the hash may be done more
quickly than signing the entire message.
Alice calculates the signed message sig(h(m))
for the hash function and
uses it as the signature of the message.
The pair (m, sig(h(m))) now conveys basically
the same knowledge as the
original signature scheme did.
It has the advantages that it is faster to
create (under the reasonable
assumption that the hash operation is quick)
and requires less resources
for transmission or storage.

17
In Term of Security

Suppose Eve has possession of Alices signed
message (m, sig(h(m))).
She has another message m to which she wants
she to add Alices
signature.
This means that she needs sig(h(m))
sig(h(m)) in particular, she needs
h(m) h(m).
If the hash function is one-way, Eve will find
it hard to find any such m.
The chance that her desired m will work is very
small. Moreover,
since we require our hash function to be
strongly collision-free, it is
unlikely that eve can find two messages m1 ?
m2 with the same
signatures.
Of course, if she did, she could have Alice sign
m1, then transfer her
signature to m2. But Alice would get
suspicious since m1 (and m2)
would very likely be meaningless messages.

18
Check on Data Integrity

Hash function also can be employed as a check on
data integrity.
The question of data integrity comes up in
basically two scenarios.
First when the data (encrypted or not) are
being transmitted to another
person and a noisy communication channel
introduces errors to the data.
Second An observer rearranges the transmission
in some manner
before it gets to the receiver. Either way,
the data have become corrupted.
Example
Suppose Alice sends Bob long messages about
financial transactions
with Eve and encrypts them in blocks.
Perhaps Eve deduces that the tenth block of each
message lists the
amount of money that is to be deposited to
Eves account.
She could easily substitute the tenth block from
one message into
another and increase the deposit.

19
Check on Data Integrity

Another situation
Alice might send Bob a message consisting of
several blocks of
data, but one of the blocks is lost during
transmission. Bob might
not ever realize that the block is missing.
Here is how function can be used. Say we send
(m, h(m)) over the
communications channel and it is received as
(M, H). To check
whether errors might have occurred, the
recipient computes h(M)
and sees whether it equals H. If any errors
occurred, it is likely that
h(M) ? H, because of the collision-free
properties of h.

20
List of Cryptographic Hash Function

Haval
MD2
MD4
MD5
N-Hash
RIPEMD-160
SHA Hash Functions (SHA-0, SHA-1, SHA-2)
Snefru
Tiger
Whirlpool

21
Other Secure HASH functions
SHA-1 MD5 RIPEMD-160
Digest length 160 bits 128 bits 160 bits
Basic unit of processing 512 bits 512 bits 512 bits
Number of steps 80 (4 rounds of 20) 64 (4 rounds of 16) 160 (5 paired rounds of 16)
Maximum message size 264-1 bits
22
Digital Signature / Signature Schemes
23
Signature schemes

digital signature schemes

MACs in the public-key setting
24
Problem Authentication
24
25
Problem Authentication
25
26
Scenario
26
27
Scenario
27
28
Scenario
28
29
Scenario
29
30
Scenario
30
31
Digital Signatures

have looked at message authentication
but does not address issues of lack of trust
A few scenarios (transfer funds, mail message)
digital signatures provide the ability to
(properties)
verify author, date time of signature
authenticate message contents
be verified by third parties to resolve disputes
hence include authentication function with
additional capabilities

32
Digital Signature Properties

must depend on the message signed
must use information unique to sender
to prevent both forgery and denial
must be relatively easy to produce
must be relatively easy to recognize verify
be computationally infeasible to forge
with new message for existing digital signature
with fraudulent digital signature for given
message
be practical save digital signature in storage

33
Digital Signatures Categories
Digital signatures
Arbitrated Digital Signature
Direct Digital Signature
34
Direct Digital Signatures

involve only sender receiver
assumed receiver has senders public-key
digital signature made by sender signing entire
message or hash with private-key
can encrypt using receivers public-key
important that sign first then encrypt message
signature
security depends on senders private-key

35
Arbitrated Digital Signatures

involves use of arbiter A
validates any signed message
then dated and sent to recipient
requires suitable level of trust in arbiter
can be implemented with either private or
public-key algorithms
arbiter may or may not see message

36
Authentication Protocols

used to convince parties of each others identity
and to exchange session keys
may be one-way or mutual
key issues are
confidentiality to protect session keys
timeliness to prevent replay attacks

37
Replay Attacks

where a valid signed message is copied and later
resent
simple replay
repetition that can be logged
repetition that cannot be detected
backward replay without modification
countermeasures include
use of sequence numbers (generally impractical)
timestamps (needs synchronized clocks)
challenge/response (using unique nonce)

38
Using Symmetric Encryption

as discussed previously can use a two-level
hierarchy of keys
usually with a trusted Key Distribution Center
(KDC)
each party shares own master key with KDC
KDC generates session keys used for connections
between parties
master keys used to distribute these to them

39
Needham-Schroeder Protocol

original third-party key distribution protocol
for session between A B mediated by KDC
protocol overview is
1. A?KDC IDA IDB N1
2. KDC?A EKaKs IDB N1 EKbKsIDA
3. A?B EKbKsIDA
4. B?A EKsN2
5. A?B EKsf(N2)

40
Needham-Schroeder Protocol

used to securely distribute a new session key for
communications between A B
but is vulnerable to a replay attack if an old
session key has been compromised
then message 3 can be resent convincing B that is
communicating with A
modifications to address this require
timestamps (Denning 81)
using an extra nonce (Neuman 93)

41
Using Public-Key Encryption

have a range of approaches based on the use of
public-key encryption
need to ensure have correct public keys for other
parties
using a central Authentication Server (AS)
various protocols exist using timestamps or nonces

42
Denning AS Protocol

Denning 81 presented the following
1. A?AS IDA IDB
2. AS?A EKRasIDAKUaT EKRasIDBKUbT
3. A?B EKRasIDAKUaT EKRasIDBKUbT
EKUbEKRasKsT
note session key is chosen by A, hence AS need
not be trusted to protect it
timestamps prevent replay but require
synchronized clocks

43
One-Way Authentication

required when sender receiver are not in
communications at same time (eg. email)
have header in clear so can be delivered by email
system
may want contents of body protected sender
authenticated

44
Using Symmetric Encryption

can refine use of KDC but cant have final
exchange of nonces, vis
1. A?KDC IDA IDB N1
2. KDC?A EKaKs IDB N1 EKbKsIDA
3. A?B EKbKsIDA EKsM
does not protect against replays
could rely on timestamp in message, though email
delays make this problematic

45
Public-Key Approaches

have seen some public-key approaches
if confidentiality is major concern, can use
A?B EKUbKs EKsM
has encrypted session key, encrypted message
if authentication needed use a digital signature
with a digital certificate
A?B M EKRaH(M) EKRasTIDAKUa
with message, signature, certificate

46
Digital Signature Standard (DSS)

US Govt approved signature scheme FIPS 186
uses the SHA hash algorithm
designed by NIST NSA in early 90's
DSS is the standard, DSA is the algorithm
a variant on ElGamal and Schnorr schemes
creates a 320 bit signature, but with 512-1024
bit security
security depends on difficulty of computing
discrete logarithms

47
DSA Key Generation

have shared global public key values (p,q,g)
a large prime p 2L
where L 512 to 1024 bits and is a multiple of 64
choose q, a 160 bit prime factor of p-1
choose g h(p-1)/q
where hltp-1, h(p-1)/q (mod p) gt 1
users choose private compute public key
choose xltq
compute y gx (mod p)

48
DSA Signature Creation

to sign a message M the sender
generates a random signature key k, kltq
nb. k must be random, be destroyed after use, and
never be reused
then computes signature pair
r (gk(mod p))(mod q)
s (k-1.SHA(M) x.r)(mod q)
sends signature (r,s) with message M

49
DSA Signature Verification

having received M signature (r,s)
to verify a signature, recipient computes
w s-1(mod q)
u1 (SHA(M).w)(mod q)
u2 (r.w)(mod q)
v (gu1.yu2(mod p)) (mod q)
if vr then signature is verified
see book web site for details of proof why

50
Summary

have considered
digital signatures
authentication protocols (mutual one-way)
digital signature standard

51
Message Authentication Codes the idea
(m, tTagk(m))
m ? 0,1
Vrfyk(m) ? yes,no
Alice
Bob
k
k
k is chosen randomly from some set K
51
52
Signature Schemes
(m, tTagk(m))
m ? 0,1
Vrfyk(m) ? yes,no
Alice
Alice
Bob
Bob
k
pk
k
sk
(pk,sk) Gen(1n)
1n
53
Advantages of the signature schemes

Digital signatures are
publicly verifiable
transferable
provide non-repudiation

54
Anyone can verify the signatures
Sign(sk3,m)
P2
public register
P3
sk3
pk1
pk2
pk3
pk4
pk5
1. Sign(sk3,m)
Sign(sk3,m)
P4
2. reads pk3
P1
3. computes Vrfy(pk3,m)
P5
55
Look at the MACs...
k
k
(m, tTagk(m))
m ? 0,1
Alice
Bob

Why shall I trust you?
You could have created t yourself (because you
know k)
I dont know k, so how can I verify the tag?

Look, I got (m,t) from Alice
Carol
56
Signatures are publicly-verifiable!
skA
pkA
(m, s Signsk(m))
m ? 0,1
Alice
Bob
Look, I got (m,s) from Alice
I can calculate Vrfy(pkA,m,s) and check.
Carol
57
So, the signatures are transferable
Alice
skA
Alice signed m
Alice signed m
Alice signed m
s Sign(sk3,m)
I believe it!
I believe it!
I believe it!
(m,s)
(m,s)
(m,s)
pkA
pkA
pkA
pkA
P2
P1
P4
P3
58
Non-repudiation
skA
pkA
(m, s Signsk(m))
m ? 0,1
Alice
Bob
Ive got (m,s) from Alice
Its not true!I never signed m!
Vrfy(pk,m,s) yesso you cannot repudiate
signing m...
Judge
59
Digital Signature Schemes
A digital signature scheme is a tuple
(Gen,Sign,Vrfy) of poly-time algorithms, such
that

the key-generation algorithm Gen takes as input a
security parameter 1n and outputs a pair
(pk,sk),
the signing algorithm Sign takes as input a key
sk and a message m?0,1 and outputs a signature
s,
the verification algorithm Vrfy takes as input a
key pk, a message m and a signature s, and
outputs a bit b ? yes, no.

If Vrfypk(m,s) yes then we say that s is a
valid signature on the message m.
60
Correctness

We require that it always holds that
Vrfypk(m,Signsk(m)) yes
What remains is to define security of a MAC.

61
Other popular signature schemes

Based on discrete log
ElGamal signatures
Digital Signature Standard (DSS)
(also based on other groups elliptic curves)

62
Public Key Infrastructure
63
Overview

Simple Fundamental
Qualified signatures
PKI and trust management
Introduction to the key establishment protocols

64
Public Key Infrastructures
Alice
Charlie
Reggie
Eve
Bob
Sender Receiver
Certification Authority
Registration Authority
Hacker
Receiver Sender
65
Public Key Infrastructures

Alice and Bob, want to be able to communicate
securely by sending messages to each other.
They want to be able to use trustworthy digital
signature technology to protect the integrity of
their messages, and they may also want to use
encryption to keep the contents of their messages
secret. To achieve all this, they've decided to
use a PKI (Public Key Infrastructure) system, and
digital certificates.

66
Public Key Infrastructures

Alice and Bob, want to enroll in a PKI system.
Charlie runs a Certification Authority (CA), and
will be issuing certificates to Alice and Bob.
To make Charlie's job easier, he relies on his
twin brother Reggie, a Registration Authority
(RA), who interacts with Alice and Bob on
Charlie's behalf.

67
Public Key Infrastructures

Alice and Bob want to enroll in a PKI system, and
have decided to purchase certificates from
Charlie, a Certification Authority.
To do this, they'll first need to contact Reggie,
a Registration Authority who has an agreement
with Charlie, to prove their identities. (Having
Reggie conduct part of the enrolment proceedings
makes Charlie's job a little easier.) But before
they do that, they'll each have to generate a
signing key for themselves.

CA
RA
68
Public Key Infrastructures

Let's see the procedure Alice goes through to
enroll in the PKI. Bob will have to go through
the exact same process.
First Alice asks her computer to generate a
private signing key and a public key. Her private
key is for her use only, and she must never share
it with anyone. Her public key can be available
to the world (in fact it will be included in the
certificate issued by Charlie), and anyone can
use it to verify her digital signature on a
message.

Alices Public Key
Alices Private Key
69
Public Key Infrastructures

Next, she goes to visit Reggie, a Registration
Authority, at his office. It is Reggie's duty to
verify Alice's identity, so that he can say to
Charlie that he has made sure that Alice is
Alice. Since Charlie will be issuing a
certificate to her, and the certificate conveys a
high level of assurance that
Alice is who she says she is, and people will be
trusting that, Charlie needs Reggie to be very
careful about this.
Alice shows Reggie proof of government-issued
photo identification.

Since Reggie trusts the government that issued
these identification cards, he is extremely
certain that Alice is who she says she is he has
authenticated Alice's identity. Next, he must
transfer this knowledge to Charlie.

70
Public Key Infrastructures

Reggie has a secure encrypted computer link to
his twin brother Charlie, the CA, so it is easy
for him to notify Charlie of Alice's enrolment,
and to let him know that he has authenticated her
identity.
He makes up a reference number for Alice's
account, gives it to her, and also uses this
number to enroll her with Charlie over the
encrypted link. In return, over the same
encrypted link, Charlie sends Reggie an
authorization code that Alice will use later.

Alices enrolment Information
Authorization Code For Alice
CA
RA

Instead of giving Alice the authorization code,
he sends it to her office voicemail box. This is
an extra check to make sure that Alice has
supplied appropriate contact information.

71
Public Key Infrastructures

Alice can now return to her office. She uses her
computer to create a certificate-request form.
This form includes the following
her enrolment information, as given to Reggie
earlier (name, address, etc.)
the authorization code that Charlie made, which
Reggie left in her voicemail
her public key
Then, she digitally signs her certificate-request
form, using her private key. This is very
important, because she needs to prove that she
possesses the private key that corresponds to the
certificate that Charlie will be issuing her. If
she can't prove she has the private key, Charlie
won't issue the certificate.

Reference Number and Certificate Request
RA
72
Public Key Infrastructures

Charlie can check her signature using her public
key.
Alice logs into Charlie's web site using her
reference number and submits her certificate
request form.
After receiving Alice's certificate request, he
has to do some checking to make sure it's OK.
First, he checks to make sure the reference
number and authorization code match what they are
supposed to.
The authorization code inside Alice's certificate
request must be the same as what Charlie has on
file.

Reference Number and Certificate Request
RA
73
Public Key Infrastructures

Since Reggie had verified Alice's identity when
the authorization code was given to her, Charlie
knows that the certificate request came from
Alice, and not somebody else pretending to be
Alice.
Next, he takes the public key from the
certificate request, and uses it to verify the
digital signature on the request. If the
signature is correct, then he knows Alice does
possess her private key.
Having authenticated her identity, and verified
that she has the right private key, Charlie
issues the certificate in Alice's name and sends
it back to her.

Certification Approved
Subject Alice Name Alice Issuer
Charlie
CA
Issued 21-08-2008
74
Public Key Infrastructures

Charlie also publishes the certificate in his
public repository, so that anybody receiving a
message from Alice can check her certificate.
After Bob has his certificate too, Alice and Bob
can use digital signatures to ensure the
integrity and sender's identity of their
messages.

75
Public Key Infrastructures

If Alice and Bob want to use encryption to keep
the contents of their messages secret, then they
will also need a separate set of encryption keys
and certificates for that purpose.
They can obtain these certificates at the same
time as they obtain their signing certificates.

76
Overview

Simple Fundamental
Qualified signatures
PKI and trust management
Introduction to the key establishment protocols

77
QuestionHow to maintain the public register?

We start with the case when the public keys are
used for signing that is legally binding.
Then we consider other cases.

78
A problem
skA
pkA
(m, s Signsk(m))
m ? 0,1
Alice
Bob
I got (m,s) from Alice
Its not true!I never signed m!
Vrfy(pk,m,s) yesso you cannot repudiate
signing m...
But pk is not my public key!
Judge
79
Solution certification authorities

A simplified view

comes with her ID and pkAlice
(pkCert,skCert)
Certification Authority
Alice
checks the ID of Alice and issues a
certificate SignskCert(pkAlice is a public key
of Alice)
Now, everyone can verify that pkAlice is a public
key of Alice. So Alice can attach it to every
signature
really everyone?
80
What is needed to verify the certificate

To verify the certificate coming from Cert one
needs
to know the public key of the Cert
to trust Cert.
It is better if Cert also keeps a document
I, Alice certify that pkAlice is my public key
with a written signature of Alice.

81
How does it look from the legal point of view?

What matters at the end is if you can convince
the judge.
Many countries have now a special law regulating
these things.
In Malaysia it isMCMC

82
Malaysian Certificate Authorities

Digicert

83
So, what to do if you want to issue the qualified
signatures?

You have to go to one of this companies and get a
qualified certificate (it costs!).
The certificate is valid just for some given
period.

84
What if the secret key is lost?

In this case you have to revoke the
certificate.Every authority maintains a list of
revoked certificates.
The certificates come with some insurance.

85
Plan

Qualified signatures
PKI and trust management
Introduction to the key establishment protocols

86
In many case one doesnt want to use the
qualified signatures

The certificates cost.
Its risky to use them
How do you know what your computer is really
signing?Computers have viruses, Trojan horses,
etc.
You can use external (trusted) hardware but it
should have a display (so you can see what is
signed).
Remember qualified signatures are equivalent to
the written ones!

87
Practical solution
In many cases the qualified signatures are an
overkill.
Instead, people use non-qualified signatures.
The certificates are distributed using a
public-key infrastructure (PKI).
88
Users can certify keys of the other users
knows pk2
knows pk3
P2
P1
P3
pk3
pk1
pk2
trusts P2
P1 believesthat pk3 is a public key of P3
P2 certifies that pk3 is a public key of P3
signature of P2
this should be done only if P2 really met P3 in
person and verified his identity
89
Users can certify keys of the other users
knows pk2
knows pk3
knows pk4
P2
P1
P3
P4
pk1
pk4
pk3
pk2
trusts P2
trusts P3
P2 certifies that pk3 is a public key of P3
signature of P2
P1 believesthat pk3 is a public key of P3
P3 certifies that pk4 is a public key of P4
signature of P3
90
knows pk2
knows pk3
knows pk4
knows pk5
P2
P1
P3
P4
P5
pk3
pk1
pk4
pk4
pk2
trusts P2
trusts P3
This is called acertificate chain
trusts P4
P2 certifies that pk3 is a public key of P3
signature of P2
P1 believesthat pk3 is a public key of P3
P3 certifies that pk4 is a public key of P4
signature of P3
P4 certifies that pk5 is a public key of P5
signature of P4
91
A problem
knows pk2
knows pk3
knows pk4
P2
P1
P3
P4
pk3
pk1
pk4
pk2
trusts P2
trusts P3

What if P1 does not know P3?
How can he trust him?
Answer P2 can recommend P3 to P1.

92
A question is trust transitive?
Does
P2
P1
P3
pk3
pk1
pk2
trusts P2
trusts P3
imply
P2
P1
P3
pk3
pk1
pk2
?
trusts P3
93
Example
I can recommend P3
P2
P1
P3
pk3
pk1
pk2
trusts thatP2 is a veryhonest person
trusts thatP3 is a veryhonest person
P2
P1
P3
pk3
pk1
pk2
doesnt trust that P3 is honest, because he
thinks that P2 is honest but naive
94
Moral

Trust is not transitive
P1 trusts in the certificates issued by P2
is not the same as saying
P1 trusts that
if
P2 says you can trust the certificates issued by
P3
then
one can trust the certificates issued by P3

95
Recommendation levels
level 1 recommendation A you can trusts in
all the certificates issued by B level 2
recommendation A you can trust that all the
level 1 recommendations issued by B level 3
recommendation B you can trust that all the
level 2 recommendations issued by B and so on.
. .

Recursively
level i1 recommendation
A you can trust that all the level i
recommendations issued by B

96
Now, if
P2
P1
P3
P4
P2 issues a recommendation of level 2 for P3
P3 issues a recommendation of level 1 for P4
P2 trust in all the recommendations issued by P2
then
P2
P4
P1
P3
trusts the certificates issued by P4
Of course the recommendations also need to be
signed. Starts to look complicated...
97
How is it solved in practice?

In popular standard is X.509 the recommendation
is included into a certificate.
Here the level of recommendations is bounded
using a field called basic constraints.
X.509 is used for example in SSL.
SSL is implemented is implemented in every
popular web-browser.
So, lets look at it.

98
(No Transcript)
99
(No Transcript)
100
(No Transcript)
101
(No Transcript)
102
(No Transcript)
103
Concrete example

Lets go to the Banca Di Roma website

104
a certificatechain
105
(No Transcript)
106
(No Transcript)
107
(No Transcript)
108
The typical picture
web browser knows these certificates
. . .
Verisign
DigiCert
Entrust

Implicit assumptions
the author of the browser is honest,
the author of the browser is competent
nobody manipulated the browser

is it always true?
VerisignEurope
VerisignUSA
VerisignItaly
a certificate path
Banca di Roma
109
(No Transcript)
110
Is it so important to check it?

Yes!
For example the last element in the chain can be
anybody (who paid to Verising for a certificate).
For sure we do not want to trust the certificates
issued by anyone.

111
So, what happens when a user contacts the bank?
sends(cert1,..., certn)
Alice
Bank
If Alices browser knows cert1 it canverify the
chain and read the public key of the bank from
certn
112
What happens if the certification path is invalid?

For example if the first certificate in the path
is not known to the user.
Experiment lets delete the Verisign
certificate for the configuration of the
browser...

113
(No Transcript)
114
What happens?
115
Another popular PKI

Pretty Good Privacy (PGP) every user can act as
a certification authority.
Hence the name
Web of Trust

116
Introduction to the key establishment protocols
117
Suppose Alice and Bob want to authenticate to
each other...
internet
Bob
Alice
Observation authentication itself is not very
useful.More useful key establishment
118
Protocols for key establishment

Suppose Alice and Bob want to establish a fresh
session key in an authentic way.
When is it possible?
Using symmetric cryptography Alice and Bob can
use some trusted server S.
Using asymmetric cryptography e.g. using PKI.

119
Symmetric cryptography
share a private keyKAS
share a private keyKBS
server S
Alice
Bob

The server can help Alice and Bob to establish a
session key.
(in reality its not so trivial to design a
secure protocol)

120
The public-key cryptography
sends(cert1,..., certn)
sends(cert1,..., certn)
Alice
Bob

If they accepted the certificate paths they can
establish a session key
Alice selects a random key K.
Alice encrypts K with Bobs public key, and sign
is it with her private key, and sends it to Bob.
Bob verifies the signature and decrypts the K.
Again in reality its not that simple...

121
What if one of the parties doesnt have a
certificate?

Typical situation in real life...
E.g. a bank can verify authenticity of Alice by
asking her for a secret password.
This password is provided to her (in a physical
way) when she opened an account.
How to prevent the dictionary attacks?
Not so trivial...

122
Designing the key establishment protocols

It is an active area of research.
Its more complicated than one may think...
On the next slides we show some common errors.

123
An idea (1)
key shared by Alice and the server KAS
key shared by Bob and the server KBS
server S
(A,B)
selects a random KAB
EncKAS(KAB), EncKBS(KAB)
(EncKBS (KAB),A)
Alice
Bob
124
An attack
key shared by Alice and the server KAS
key shared by Bob and the server KBS
server S
(A,B)
Im talking to D
selects a random KAB
EncKAS(KAB), EncKBS(KAB)
(EncKBS(KAB),A)
(EncKBS (KAB),D)
Alice
Bob
125
An idea (2)
key shared by Alice and the server KAS
key shared by Bob and the server KBS
server S
(A,B)
selects a random KAB
EncKAS(KAB,B), EncKBS(KAB,A)
EncKBS(KAB,A)
Bob
Alice
126
A replay attack
the adversary stores the values that the server
sent in the previous session and replays
them. So, the key is not fresh...
(A,B)
EncKAS(KAB,B), EncKBS(KAB,A)
EncKBS(KAB,A)
Alice
Bob
127
How to protect against the replay attacks?

Nonce number used once.
Nonce is a random number generated by one party
and returned to that party to show that a message
is newly generated.

128
An idea (3) Needham Schreoder 1972.
key shared by Alice and the server KAS
key shared by Bob and the server KBS
server S
(A,B,NA)
selects a random KAB
EncKAS(KAB, B, NA, EncKBS(KAB,A))
EncKBS(KAB,A)
EncKAB(NB)
EncKAB(NB 1)
Bob
Alice
129
An attack on Needham Schroeder
Assume that an old session key KAB is known to
the adversary.
EncKBS(KAB,A)
EncKAB(NB)
EncKAB(NB 1)
Bob
130
The final solution
key shared by Alice and the server KAS
key shared by Bob and the server KBS
server S
(A,B,NA,NB)
selects a random KAB
EncKAS(KAB, B, NA) EncKBS(KAB, A, NB)
(B,NB)
EncKBS(KAB, A, NB)
Alice
Bob
131
Other desirable features

Forward-securityif an adversary breaks into the
machine at some time t the previous session keys
remain secret.
DeniabilityA user can always deny that he sent
some message.
Resistance to denial-of-service attacks(dont
put to much work on the server!).

132
Another (real-life) problem

Alice and Bob may use different versions of the
protocol.
Therefore at the beginning of the protocol they
have to agree on the ciphers that they will use.
How to do agree in a secure way?

Alice I prefer to use AES, but I can also use
DES
Alice I can only use DES,
Bob I can only use DES,
Bob I prefer to use AES, but I can also use
DES
Alice
Bob
Theyll end up using DES!
133
Protocols used in practice