1 / 38

Security Introduction

Security Introduction. Class 11 18 February 2003. Overview. Security Properties Security Primitives Sample Protocols. Introducing Protocol Participants. Alice (usually the protocol initiator) Bob, Alice’s friend Eve the eavesdropper Mallory the malicious adversary

vinson
Télécharger la présentation

Security Introduction

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Introduction Class 11 18 February 2003

  2. Overview • Security Properties • Security Primitives • Sample Protocols

  3. Introducing Protocol Participants • Alice (usually the protocol initiator) • Bob, Alice’s friend • Eve the eavesdropper • Mallory the malicious adversary • Trent the trusted server

  4. Security Properties • Confidentiality (secrecy) • Eve cannot get any information • Semantic security • Even if Eve knows plaintext/ciphertext pairs, she cannot learn any new information • Integrity • Prevent modification • Authentication • Prevent impersonation • Bob knows that Alice sent message

  5. Security Properties (cont) • Non-repudiation • Alice cannot deny having created message • Freshness • Bob knows that Alice’s message is recent • Replay protection • Mallory cannot replay Alice’s messages

  6. Security Primitives • Asymmetric (public-private key) • Diffie-Hellman key agreement • Public-key encryption • Digital signature • Symmetric (shared-key, same-key) • Block cipher (pseudo-random permutation PRP) • Stream cipher (pseudo-random generators PRG) • Message authentication code (MAC) • Others (unkeyed symmetric) • One-way function • Cryptographic hash function

  7. Asymmetric Primitives • Diffie-Hellman key agreement • Public values: large prime p, generator g • Alice has secret value a, Bob has secret b • A  B: ga (mod p) • B  A: gb • Bob computes (ga)b = gab • Alice computes (gb)a = gab • Eve cannot compute gab

  8. Asymmetric Primitives II • Problem: man-in-the-middle attack • Mallory can impersonate Alice to Bob, Bob to Alice • A  M: ga (mod p) • M  A: gm • M  B: gm • B  M: gb • Bob computes (gm)b = gbm • Alice computes (gm)a = gam

  9. Asymmetric Primitives III • Public-key encryption • El-Gamal encryption • Public values: large prime p, generator g • Alice has public key ga (mod p), private key a • Bob wants to send message M to Alice • Bob picks random x, computes (ga)x = gax • B  A: gx, Mgax

  10. Asymmetric Primitives IV • Digital Signatures • RSA signature • Alice has large secret primes p, q • Pick e, compute d s.t. ed = 1 mod (pq) • Public key N=pq, e • Private key p, q, d • Signature generation of message M = H(M)d mod N • Signature verification:e = H(M)ed = H(M)1 + K(pq) = H(M) (mod N)

  11. Symmetric Primitives • Block cipher is a pseudo-random permutation (PRP), each key defines a one-to-one mapping • Encryption: EK(plaintext) = ciphertext • Decryption: DK(ciphertext) = plaintext • We write {plaintext}K for EK(plaintext) • Encrypt each block separately • Examples: DES, Rijndael

  12. Symmetric Primitives II • Stream ciphers use pseudo-random generators (PRG) • PRG • Input: seed • Output: pseudo-random stream • Encryption: use shared key k and initialization vector IV for the seed ciphertext = plaintext  PRG( k, IV ) • Send IV, ciphertext • Examples: RC4, SEAL

  13. Symmetric Primitives III • Message authentication codes (MAC) • “Cryptographic checksum”, keyed hash • Provides authentication, integrity • Send M, MAC( K, M ) • Example: HMAC-MD5 • HMAC-MD5(K, M ) = MD5(K  opad || MD5(K  ipad || M)) • ipad = 3636..36, opad = 5C5C..5C

  14. Cryptographic Hash Functions • Maps arbitrary-length input into finite length output • Properties of a secure hash function • One-way: Given y = H(x), cannot find x’ s.t. H(x’) = y • Weak collision resistance: Given x, cannot find x’ ≠ x s.t. H(x) = H(x’) • Strong collision resistance: Cannot find x, x’ s.t. H(x) = H(x’) • Example: MD5, SHA-1

  15. K3 K4 One-Way Hash Chains • Versatile cryptographic primitive • Construction • Pick random rN and public one-way function F • ri = F(ri+1) • Secret value: rN , public value r0 • Properties • Use in reverse order of construction: r1 , r2 … rN • Infeasible to derive ri from rj (j<i) • Efficiently authenticate ri knowing rj (j<i):verify rj = Fi-j(ri) • Robust to missing values F F F F K5 K5 K6 K7

  16. Symmetric crypto 72 bit key for high security (2000) ~1,000,000 ops/s 10x speedup in HW Asymmetric crypto 1024 bit key for high security (RSA) ~100 signatures/s~1000 verify/s (RSA) Marginal speedup in HW Comparison Sym vs Asym Crypto

  17. Sample Protocols • Sensor network encryption protocol (SNEP) • Broadcast authentication TESLA • PayWord • MicroMint

  18. SPINS Assumptions • Communication • Frequent node-base station exchanges • Frequent network flooding from base • Node-node interactions infrequent • Base station • Sufficient memory, power • Shares secret key with each node • Node • Limited resources, limited trust

  19. SNEP Security Goals • Secure point-to-point communication • Confidentiality • Secrecy • Authenticity • Integrity • Message freshness to prevent replay • Existing protocols use expensive asymmetric crypto (e.g. SSL/TLS, IPSEC)

  20. Basic Crypto Primitives • Code size constraints  code reuse • Uses block cipher encrypt function • Counter mode encryption • Cipher-block-chaining message authentication code (MAC) • Pseudo-random generator

  21. SNEP Protocol Details • A and B share • Encryption keys: KAB KBA • MAC keys: K'AB K'BA • Counters: CA CB • To send data D, A sends to B:A B: {D}<KAB, CA> , MAC( K'AB , [CA || {D}<KAB, CA>] )

  22. SNEP Properties • Secrecy & confidentiality • Semantic security against chosen ciphertext attack • Strongest security notion for encryption • Authentication • Replay protection • Code size: 1.5 Kbytes • Strong freshness protocol

  23. Need to Stretch?

  24. Broadcast Authentication • Broadcasts data over wireless network • Packet injection usually easy • Each receiver can verify data origin Alice M Sender M Dave M M Bob Carol

  25. Msg, MAC(K,Msg) Msg, MAC(K,Msg) Forged Msg, MAC(K, Forged Msg) MAC: Message Authentication Code (authentication tag) Authentication Needs Asymmetry Sender K K = shared key Alice K Bob K

  26. Digital Signatures Do Not Work • Signatures are expensive, e.g., RSA 1024: • High generation cost (~10 milliseconds) • High verification cost (~1 millisecond) • High communication cost (128 bytes/packet) • Very expensive on low-end processors • If we aggregate signature over multiple packets, intolerant to packet loss

  27. TESLA • Timed Efficient Stream Loss-tolerant Authentication • Uses only symmetric cryptography • Asymmetry via time • Delayed key disclosure • Requires loose time synchronization • Published in IEEE Security and Privacy 2000,NDSS 2001 [PCST]

  28. 1: Verify K 2: Verify MAC 3: P Authentic! Basic Authentication Mechanism F: public one-way function P F(K) Authentic Commitment K disclosed MAC(K,P) t

  29. Security Condition • Receiver knows key disclosure schedule • Security condition (for packet P): on arrival of P, receiver is certain that sender did not yet disclose K • If security condition not satisfied, drop packet

  30. Authentication of P1: MAC(K5, P1 ) Authenticate K5 F F F F K3 K4 Verify MAC P2 K5 TESLA • Keys disclosed 2 time intervals after use • Receiver setup: Authentic K3, key disclosure schedule K5 K5 K6 K7 t Time 3 Time 4 Time 5 Time 6 Time 7 P1 K3

  31. Authenticate K5 F F P3 P5 K3 K5 P1 P2 P4 Verify MACs K2 K2 K4 TESLA: Robust to Packet Loss K3 K4 K5 K6 K7 t Time 4 Time 5 Time 6 Time 7

  32. TESLA Summary • Low overhead • Communication (~ 20 bytes) • Computation (~ 1 MAC computation per packet) • Perfect robustness to packet loss • Independent of number of receivers • Delayed authentication • Extensions: • TIK: Instant key disclosure • Heterogeneous receivers • Instant authentication (sender buffers data)

  33. PayWord and MicroMint • PayWord: a credit-based scheme using one-way hash chain:w0 w1 w2 w3 ... • MicroMint: digital coins as k-way hash function collisions: x1 x2 x3 x4y

  34. PayWord Payment Model • Broker model to intermediate and aggregate Banks and Credit-card companies Broker 1. Obtain authorization or coins 3. Redeem payments User (Inner loop) Vendor 2. Purchase information from vendor; pay.

  35. PayWord • Broker signs User’s public key (certificate) • User creates one-way hash chain to buy goods from vendor, c0 , …, cN • Each one-way chain element has value v • User signs c0 and sends it to vendor • User can incrementally pay by revealing successive elements ci • Vendor redeems payment by cashing largest element cj , value = v*j

  36. MicroMint • A digital coin should be: • Hard to produce [except by Broker] • Easy to verify [by anyone] • Digital signatures “work,” but are relatively expensive • MicroMint uses hash functions only (no public-key crypto) • Broker utilizes economy of scale to produce MicroMint coins cheaply (as with a regular mint)

  37. Economy of Scale in MicroMint Probability of finding collision Number of balls thrown

  38. Minting MicroMint Coins • Pick a one-way hash function F, mapping inputs to n-bit outputs • A valid coin is a k-way collision • Find v1, …, vk, s.t. F(v1) = … = F(vk) • Verification is very efficient • Producing first 2-way collision requires time 2n/2(birthday paradox) • Producing firstk-way collision requires time Nk = 2n(k-1)/k • Time cNkyields ckcoins; once threshold of Nk is passed, coins are produced rapidly

More Related