Lecture 7 - Applied Cryptography: CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger
Lecture 7 - Applied Cryptography: CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger
Lecture 7 - Applied Cryptography: CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger
Applied Cryptography
• Applied Cryptographic is the art and science of using
cryptographic primitives to achieve specific goals.
– The use of the the tools is called a construction
– e.g., encryption (achieves confidentiality)
E(k, d) = c
• Much of network and systems security is based on
the integration of constructions with the system.
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 2
Some notation …
• You will generally see protocols defined in terms of
exchanges containing some notation like
– All players are identified by their first initial
• E.g., Alice=A, Bob=B
– d is some data
– pwA is the password for A
– kAB is a symmetric key known to A and B
– A+, A- is a public/private key pair for entity A
– E(k,d) is encryption of data d with key k
– h(d) is the hash of data d
– S(A-,d) is the signature (using A’s private key) of data d
– “+” is used to refer to concatenation
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 3
Providing Authenticity/Integrity
• Most of what we have talked about so far deals with
achieving confidentiality using encryption.
• However, and often equally or more important
property is authenticity
– authenticity is the property that we can associate a data
with a specific entity from whence it came/belongs to
– Integrity is the property that the data has not been modified
– Note that integrity is a necessary but not sufficient
?
condition for authenticity (why?)
hmac(k, d) = h(k · d)
• Why does this provide authenticity?
– Cannot produce hmac(k,d) unless you know k and d
– If you could, then can break h
– Exercise for class: prove the previous statement
• Used in protocols to authenticate content
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 5
Using HMACs
• Assume I am going to send you a random number r
over a network, and that we share a key k
• I could send you
E(k, r)
• .... over the network.
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 6
Using HMACs (cont.)
• An active attacker could replace the value E(k,r) with
any random bits and I would not know it.
– The central point is that I cannot tell one decrypted random
value from another
– Attacker can change the cipher, but not know the result
(e.g., confidentiality is preserved)
• A fix:
E(k, r), HMAC(k, r)
• Now, the adversary cannot generate a HMAC that
will properly validate without knowing k
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 10
Using hash values as authenticators
• Consider the following scenario
• Alice is a teacher who has not decided if she will cancel
the next lecture.
• When she does decide, she communicates to Bob the
student through Mallory, her evil TA.
• She does not care if Bob shows up to a cancelled class
• Alice does not trust Mallory to deliver the message.
• She and Bob use the following protocol:
1. Alice invents a secret t
2. Alice gives Bob h(t), where h() is a crypto hash function
3. If she cancels class, she gives t to Mallory to give to Bob
– If does not cancel class, she does nothing
– If Bob receives the token t, he knows that Alice sent it
CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger 11
Hash Authenticators
CSE543 Computer (and Network) Security - Fall 2005 - Professor McDaniel Page
Simple Key Distribution
• (simplified view) Assume you have 4 participants
– Distribute 3 out of 4 total keys to each participant
– Any two participants can generate a unique key
[k2 k3 k4]
A
[k1 k2 k3] [k1 k3 k4]
D B
[k1 k2 k4]
C
– How: pick XOR of the keys that are not held by the other
participants
• E.g., Assume A and C want to communicate
– kAC = k2 XOR k4
CSE543 Computer (and Network) Security - Fall 2005 - Professor McDaniel Page
Simple Key Distribution (cont.)
• Why does this work?
– B cannot eavesdrop because it does not know k2
– D cannot eavesdrop because it does not know k4
• General construction
– Create large set of keys {k1,k2,…kn}
– Give precisely 1/2 of keys to each participant
• Make sure that no two sets of assigned keys are compliments
– Any two participants can communicate
– The more keys you have, the more likely it is that two
participants can generate a key