Class 5 Channels and Preview CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman http://www.cis.ksu.edu/~eyv/CIS755_S 14/
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Class 5Channels and Preview
CIS 755: Advanced Computer SecuritySpring 2014
Eugene Vasserman
http://www.cis.ksu.edu/~eyv/CIS755_S14/
Administrative stuff
Last time: Basic primitives
• Confidentiality (encryption)– Symmetric (e.g. AES)– Asymmetric (e.g. RSA)
• Hash functions• Integrity and authentication– Symmetric (authentication codes)– Asymmetric (signatures)
• Random numbers
Preview of Math in Asymmetric Crypto
• Diffie-Hellman–Discrete logarithm is “hard”–Computational, decisional (“flavors”)
• RSA–Prime factorization is “hard”
• Quantum computing and Shor’s algorithm• Elliptic Curves• Bilinear Maps
Person-in-the-middle
Alice
Bob
Alice
Confidential
NOT Authenticated
Bob
?
Muahaha!
Person-in-the-middle
Alice
Bob
Alice?
NOT Confidential
NOT Authenticated
Bob
Certificates
Alice
Bob
Alice!
Confidential
Authenticated
Bob
CRAP!
Confidential?
Authenticated?
PKI Example: Confidential email
BobAlice
BobBob
Alice?
Confidential
Authenticated
PKI Example: Confidential email
BobAlice
BobBob
Alice!
Questions?
In practice: Optimizations
• Asymmetric encryption:–Password Secret Key ESK(K), EK(M)
• Signatures:–Password Secret Key M, SigSK(h(M))
• Why do this? Why is this safe?• Symmetric:–Password Key
derivation/stretching/strengthening function K
In practice: Problems
• Composability:http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html
• Attack on PKCS #1 v2 standard-compliant RSA OAEP leaks plaintext bits:
http://www.springerlink.com/content/tw5tuqb3hxbn9grq/
• This attack also leaks plaintext bits in a lot of systems that use CBC block cipher mode:
http://lasecwww.epfl.ch/pub/lasec/doc/Vau02a.psxkcd.com
• Example: WEP– IV, RC4(IV, k) (M, c(M))–Claim: 24-bit IV + 40-bit key = 64-bit
security
• Example: WEP– IV, RC4(IV, k) (M,
c(M))– Claim: 24-bit IV + 40-
bit key = 64-bit security
• On the right: text from Jonathan Katz
Problems: Composability• Is this secure against chosen-plaintext attacks?
– It is randomized…
• 40-bit key (in some implementations)!– Claims that, with IV, this gives a 64-bit effective key(!)
• And how is the IV chosen?– Only 24 bits long -- IV repetitions are a problem!– Reset to 0 upon re-initialization– Some implementations increment the IV as a counter
• A repeating IV allows the attacker to compute the XOR of two plaintexts– We have discussed already how this can be damaging
• Small IV space means the attacker can build a dictionary of (IV, RC4(IV, k)) pairs– If portions of some plaintexts known, this enables determination of other
plaintexts
• Known-plaintext attacks discovered on this usage of RC4– Possible because the first byte of plaintext is a fixed, known header!
• Chosen-plaintext attacks– Send IP traffic/e-mail to the mobile host and watch it get forwarded– Transmit broadcast messages to access point– Authentication spoofing
• No cryptographic integrity protection– The checksum is linear (i.e., c(xy) = c(x)c(y)) and unkeyed, and therefore
easy to attack– Allows IP redirection attack– Allows TCP “reaction” attacks
• Look at whether TCP checksum is valid• Form of chosen-ciphertext attack
• Encryption used to provide authenticationof mobile station (access point sends nonce; station returns an encryption of the nonce)– Allows easy spoofing after eavesdropping
Problems: Side channels
• Side-channel attacks VERY damaging–Power– Timing• See news (2013) and cool stuff (2014) pages
– Error messages!
• Different errors in SSH leak information (mismatch between implementation and specification of CBC block cipher mode):
http://portal.acm.org/citation.cfm?id=586112
Questions?
Cool stuff
• Elliptic curves– y2 = x3 + ax + b
• Secure multiparty computation–General existence result• Communication complexity
• Threshold cryptography– Encryption, signatures, secret sharing
More cool stuff
• Identity-based encryption (IBE)– Time period-based
• Attribute-based encryption (ABE)• Zero-knowledge (ZK) proofs–General existence result in NP– Interactive or non-interactive (NZIK)• Strength from number of rounds or predefined
• Homomorphic encryption
Yet more cool stuff
• Key management–Key trees• Hierarchical, time-based access
• One-time use tokens–Compare to capabilities
• Blind signatures• Compact signature aggregation• Commitments (vs. hashes)
Questions?
Related Documents
![Van Gogh I - jackooij.nl · Van Gogh I • • • • • • EYV Rce `W dV]]Z_X j`fc W]`cR 9VRU ^`Uf]V EYV Rce `W dV]]Z_X j`fc W]`cR DZUV ^`Uf]V "#! EYV Rce `W dV]]Z_X j`fc W]`cR](https://static.cupdf.com/doc/110x72/5fa51cc280fc49674c731792/van-gogh-i-van-gogh-i-a-a-a-a-a-a-eyv-rce-w-dvzx-jfc-wcr-9vru.jpg)
![Disclaimer - Seoul National Universitys-space.snu.ac.kr/bitstream/10371/122336/1/000000140736.pdf · dVbfVnTVd Woc eYV XVnVd ingo]gVU in UcfX aYRcmRTokinVeiTd (GB) RnU aYRcmRToUjnRmiTd](https://static.cupdf.com/doc/110x72/5e2f7c9cf78a2632964084e0/disclaimer-seoul-national-universitys-spacesnuackrbitstream103711223361.jpg)
![45G9E FHCC?K 5A8 DH5?=GK =FFH9F =A (9AGE5? 5A8 ......,2)0 %"-)% /0)3)170158.21 06:17.21 *97.3 ,7/.5 d`fcTVd Rd Zd eYV TRdV Z_ S`eY JfddZR R_U eYV M\cRZ_V W`c ViR^a]V) A_ eYV M\cRZ_V](https://static.cupdf.com/doc/110x72/610f61f942575b15f41407f3/45g9e-fhcck-5a8-dh5gk-ffh9f-a-9age5-5a8-20-0317015821.jpg)
