Security Introduction

Class 11

18 February 2003

Overview

Security Properties

Security Primitives

Sample Protocols

Introducing Protocol Participants

Alice (usually the protocol initiator) Bob, Alice’s friend Eve the eavesdropper Mallory the malicious adversary Trent the trusted server

Security Properties Confidentiality (secrecy)• Eve cannot get any information• Semantic security–Even if Eve knows plaintext/ciphertext pairs, she

cannot learn any new information

Integrity• Prevent modification

Authentication• Prevent impersonation• Bob knows that Alice sent message

Security Properties (cont)

Non-repudiation• Alice cannot deny having created message

Freshness• Bob knows that Alice’s message is recent

• Replay protection–Mallory cannot replay Alice’s messages

Security Primitives Asymmetric (public-private key)• Diffie-Hellman key agreement

• Public-key encryption

• Digital signature

Symmetric (shared-key, same-key)• Block cipher (pseudo-random permutation PRP)

• Stream cipher (pseudo-random generators PRG)

• Message authentication code (MAC)

Others (unkeyed symmetric)• One-way function

• Cryptographic hash function

Asymmetric Primitives

Diffie-Hellman key agreement• Public values: large prime p, generator g

• Alice has secret value a, Bob has secret b

• A B: ga (mod p)

• B A: gb

• Bob computes (ga)b = gab

• Alice computes (gb)a = gab

• Eve cannot compute gab

Asymmetric Primitives II Problem: man-in-the-middle attack Mallory can impersonate Alice to Bob,

Bob to Alice• A M: ga (mod p)

• M A: gm

• M B: gm

• B M: gb

• Bob computes (gm)b = gbm

• Alice computes (gm)a = gam

Asymmetric Primitives III

Public-key encryption El-Gamal encryption• Public values: large prime p, generator g

• Alice has public key ga (mod p), private key a

• Bob wants to send message M to Alice

• Bob picks random x, computes (ga)x = gax

• B A: gx, Mgax

Asymmetric Primitives IV Digital Signatures RSA signature• Alice has large secret primes p, q• Pick e, compute d s.t. ed = 1 mod (pq)• Public key N=pq, e• Private key p, q, d

• Signature generation of message M

= H(M)d mod N

• Signature verification:

e = H(M)ed = H(M)1 + K(pq) = H(M) (mod N)

Symmetric Primitives

Block cipher is a pseudo-random permutation (PRP), each key defines a one-to-one mapping

Encryption: EK(plaintext) = ciphertext

Decryption: DK(ciphertext) = plaintext

We write {plaintext}K for EK(plaintext)

Encrypt each block separately Examples: DES, Rijndael

Symmetric Primitives II Stream ciphers use pseudo-random

generators (PRG) PRG• Input: seed• Output: pseudo-random stream

Encryption: use shared key k and initialization vector IV for the seed ciphertext = plaintext PRG( k, IV )

Send IV, ciphertext Examples: RC4, SEAL

Symmetric Primitives III

Message authentication codes (MAC) “Cryptographic checksum”, keyed hash Provides authentication, integrity Send M, MAC( K, M ) Example: HMAC-MD5• HMAC-MD5(K, M ) = MD5(K opad ||

MD5(K ipad || M))

• ipad = 3636..36, opad = 5C5C..5C

Cryptographic Hash Functions Maps arbitrary-length input into finite

length output Properties of a secure hash function• One-way: Given y = H(x), cannot find

x’ s.t. H(x’) = y• Weak collision resistance: Given x, cannot

find x’ ≠ x s.t. H(x) = H(x’)• Strong collision resistance: Cannot find x, x’

s.t. H(x) = H(x’) Example: MD5, SHA-1

One-Way Hash Chains Versatile cryptographic primitive Construction• Pick random rN and public one-way function F• ri = F(ri+1)• Secret value: rN , public value r0

Properties• Use in reverse order of construction: r1 , r2 … rN • Infeasible to derive ri from rj (j<i)• Efficiently authenticate ri knowing rj (j<i):

verify rj = Fi-j(ri)• Robust to missing values

K5 K6 K7K4K3FFF

K5F

Comparison Sym vs Asym Crypto

Symmetric crypto 72 bit key for high

security (2000) ~1,000,000 ops/s

10x speedup in HW

Asymmetric crypto 1024 bit key for high

security (RSA) ~100 signatures/s

~1000 verify/s (RSA) Marginal speedup in

HW

Sample Protocols

Sensor network encryption protocol

(SNEP)

Broadcast authentication TESLA

PayWord

MicroMint

SPINS Assumptions Communication• Frequent node-base station exchanges

• Frequent network flooding from base

• Node-node interactions infrequent

Base station• Sufficient memory, power

• Shares secret key with each node

Node• Limited resources, limited trust

SNEP Security Goals

Secure point-to-point communication• Confidentiality

• Secrecy

• Authenticity

• Integrity

• Message freshness to prevent replay

Existing protocols use expensive asymmetric crypto (e.g. SSL/TLS, IPSEC)

Basic Crypto Primitives

Code size constraints code reuse

Uses block cipher encrypt function

• Counter mode encryption

• Cipher-block-chaining message

authentication code (MAC)

• Pseudo-random generator

SNEP Protocol Details

A and B share

• Encryption keys: KAB KBA

• MAC keys: K'AB K'BA

• Counters: CA CB

To send data D, A sends to B:

A B: {D}<KAB, CA> ,

MAC( K'AB , [CA || {D}<KAB, CA>] )

SNEP Properties

Secrecy & confidentiality• Semantic security against chosen ciphertext attack

• Strongest security notion for encryption

Authentication

Replay protection

Code size: 1.5 Kbytes

Strong freshness protocol

Need to Stretch?

Broadcast Authentication Broadcasts data over wireless network

Packet injection usually easy

Each receiver can verify data origin

Sender

Bob

M

Carol

M

DaveAliceMM

Authentication Needs Asymmetry

SenderK

AliceK

BobK

Msg, MAC(K,Msg)

Forged Msg, MAC(K, Forged Msg)

Msg, MAC(K,Msg)

MAC: Message Authentication Code (authentication tag)

K = shared key

Digital Signatures Do Not Work

Signatures are expensive, e.g., RSA 1024:

• High generation cost (~10 milliseconds)

• High verification cost (~1 millisecond)

• High communication cost (128 bytes/packet)

Very expensive on low-end processors

If we aggregate signature over multiple

packets, intolerant to packet loss

TESLA

Timed Efficient Stream Loss-tolerant

Authentication

Uses only symmetric cryptography

Asymmetry via time

• Delayed key disclosure

• Requires loose time synchronization

Published in IEEE Security and Privacy 2000,

NDSS 2001 [PCST]

Basic Authentication Mechanism

t

F(K)AuthenticCommitment

P

MAC(K,P)

Kdisclosed

1: Verify K

2: Verify MAC

3: P Authentic!

F: public one-way function

Security Condition

Receiver knows key disclosure schedule

Security condition (for packet P):

on arrival of P, receiver is certain that sender

did not yet disclose K

If security condition not satisfied, drop packet

TESLA Keys disclosed 2 time intervals after use Receiver setup: Authentic K3, key

disclosure schedule

K5 K6 K7

tTime 4 Time 5 Time 6 Time 7

K4K3

P2

K5

P1

K3

Authentication of P1: MAC(K5, P1 )

Verify MAC

FFF

Authenticate K5

K5

Time 3

F

TESLA: Robust to Packet Loss

K4 K5 K6 K7

tTime 4 Time 5 Time 6 Time 7

K3

P5

K5

P3

K3

P2

K2

P1

K2

Verify MACs

P4

K4

FF

Authenticate K5

TESLA Summary

Low overhead• Communication (~ 20 bytes)• Computation (~ 1 MAC computation per packet)

Perfect robustness to packet loss Independent of number of receivers Delayed authentication Extensions:• TIK: Instant key disclosure• Heterogeneous receivers• Instant authentication (sender buffers data)

PayWord and MicroMint

PayWord: a credit-based scheme using one-way hash chain: w0 w1 w2 w3 ...

MicroMint: digital coins as k-way hash

function collisions: x1 x2 x3 x4

y

PayWord Payment Model

Broker model to intermediate and aggregate

Broker

VendorUser

1. Obtain authorization orcoins

2. Purchase information from vendor; pay.

3. Redeem payments

Banks and Credit-cardcompanies

(Inner loop)

PayWord Broker signs User’s public key (certificate) User creates one-way hash chain to buy

goods from vendor, c0 , …, cN Each one-way chain element has value v User signs c0 and sends it to vendor User can incrementally pay by revealing

successive elements ci Vendor redeems payment by cashing

largest element cj , value = v*j

MicroMint A digital coin should be:• Hard to produce [except by Broker]• Easy to verify [by anyone]

Digital signatures “work,” but are relatively expensive

MicroMint uses hash functions only (no public-key crypto)

Broker utilizes economy of scale to produce MicroMint coins cheaply (as with a regular mint)

Economy of Scale in MicroMint

Number of balls thrown

Pro

bab

ility

of

fin

din

g c

olli

sio

n

Minting MicroMint Coins Pick a one-way hash function F, mapping

inputs to n-bit outputs A valid coin is a k-way collision Find v1, …, vk, s.t. F(v1) = … = F(vk) Verification is very efficient Producing first 2-way collision requires time

2n/2 (birthday paradox) Producing first k-way collision requires time

Nk = 2n(k-1)/k Time cNk yields ck coins; once threshold of

Nk is passed, coins are produced rapidly