Lecture Info
Course details
Objectives
Syllabyus
Recommended books
Vernman Cipher
Aspects of Security (CIA)
Lecture Info
Encryption
Substitution Ciphers
Frequency Analysis
History Notes
Graphical Example
Warm-up example 1: RFID Mutual Authentication
Wrong Solution
Proposed Solution
Does it work?
How to Break it
Toy Example
Conclusions
How to Define Security
Notational Convetion
Semantic Security
Definition
Technicalities
Consequences
Graphical example
Uncoditional Security
Lecture Info
Pratical Ciphers
Stream Ciphers
Initialization Vectors
The Dunning-Kruger Effect
Warm-Up Example 2: 802.11 WEP (part 1)
WEP Cipher: RC4
WEP and IV
Repeating IV in WEP
Pratical Attacks to Small IV Space
FMR Attack
Lessons to Learn
Lecture Info
Vulnerabilities and Exploits
User Authentication
Authentication Means
Warm-Up Example 2: 802.11 WEP (part 2)
Challenge-Handshake with Symmetric Cipher
Is this valid?
WEP Auth helps in Breaking Crypto
WEP Auth is Broken
WEP Goals (Revisited)
What About Integrity?
Message modification
Message Injection
Takeways
Aftermath of 802.11
Lecture Info
Passwords and Secrets
The Problems of Passwords
Password Overload
Restricted Charset
Low Entropy
Defining Entropy
Examples
Understanding Entropy
Using Entropy
Entropy of English
Rule of Thumb
The Big Takeaway
Dictionary Attack
Some Statistics
Software
Notes on Generating Randomness
Lecture Info
User Authentication
PAP
Pros and Cons
Example of PAP (PPP trace)
CHAP
Pros and Cons
Hash Functions
Non-Crypto Hash Functions
Crypto Hash Functions
Preimage Resistance
Second Preimage Resistance
Lecture Info
Hash Functions
Example: Discrete Logarithm
Strong Collision Resistance
The Birthday Paradox
Why digest size matters
Assesing security (is Hard)
PAP vs CHAP
Hashed Password in PAP
What about CHAP?
Conclusions
CHAP with Salt
Lecture Info
One-Time Password
Hash Chains
2-Factor Authentication
HTOP
TOPT
Mutual Authentication with CHAP
Using 2 CHAPS
Pippo's Protocol (DON'T DO THIS)
Working Solution
Nonces
Conclusions
Lecture Info
Cellular Systems
Authentication in 2G/3G
Auth in 2G
Triplets
Security by Obscurity
No Mutual Authentication
Auth in 3G
Lecture Info
Mutual Auth in 3G
SQN as an Implicit Challenge
The AUTN Format
IMSI Catching
Protecting SQN
Summary
How to Generate \(\infty\) Keys from \(1\) Secret
Lecture Info
Message Integrity
Msg Auth with Symmetric Key
Digitial Signature
Defining Security for MACs
Protections of MACs
Man in the Middle (yes)
Message Spoofing (yes)
Replay attacks (nope)
Ingredients for MACs
Where to put the key?
In the Suffix \(H(M \,\,|\,\, S)\)?
Iterative Merkle-Damgard Construction
SHA-256
Lecture Info
Where to Put the Secret?
Secret Suffix: \(H(M, S)\)?
Secret Prefix: \(H(S, M)\)?
Hash-based MAC (HMAC)
HMAC Construciton
HMAC Diagram
HMAC Security
Lecture Info
Intro to RADIUS
Motivation
AAA Protocol Services
Protocol
Architecture
Security Features
RADIUS Authenticated Reply
Packet Format
Authentication Field
Possible Messages
Access-Request
Access-Reject
Access-Challenge
PPP CHAP support
Lecture Info
Password Encryption in RADIUS
Security Weaknesses in RADIUS
Message Authenticator
Dictionary Attacks to Shared Secret
Dictionary Attack to User Password
Poor PRNG Implementations
Linear Congruential Generator
Mersenne Twister
Replay Attack in RADIUS
Final Observations
Lessons from RADIUS
Lecture Info
Beyond RADIUS
Scalability Problems
Evolution in IETF
DIAMETER
SCTP
Multiple-Stream Support
Multi-Homing Support
The Internet Ossification
DIAMETER
Agents operation
Lecture Info
History of SSL/TLS
Layered View of SSL/TLS
The Original Sin of TLS
TLS Goals
TLS Protocol Stack
TLS Record Protocol (TLS v1.2)
Lecture Info
TLS Record Protocol
Fragmentation
Compression
MAC Computation
Encryption
Record Protocol Data Unit
What about replay?
Encryption and Authentication
Block Ciphers
PRP to Cipher
Lecture Info
CBC Padding Attack
CBC Padding (TLS v1.0)
CBC Decryption (TLS v1.0)
The Attack
Second Block Onwards
Is the Attack Pratical
Fixes and Follow-Ups
Lessons Learned
Lecture Info
Block Ciphers
Pseudo Random Permutation
Stirling Approximation
Possible Problems
Problem 1: Plaintext Longer than Block Size
Electronic Code Book
Problem 2: Encrypt same message twice?
IVs in Block Ciphers
Modes of Operation
Guarantee Semantic Security
Cipher Block Chaining (CBC)
Cipher Feedback Mode (CFB)
Output Feedback Mode (OFB)
Short Cycle Problem
Counter Mode (CTR)
Lecture Info
CBC for Multiple Messages
What if Predictable IV?
BEAST Attack (TLS v1.0)
Chosen Boundary Attack
CRIME Attack (2012)
Basic Idea
Actual Attack
How to Choose Input
Aftermath
Lecture Info
TLS Handshake
Goals
Messages sent
Example of TLS Trace
Client Hello
Server Hello
Asymmetric cryptography
Asymmetric vs Symmetric
Key Management in TLS
Key Transport
Key Agreement
Handshake Phases
Phase 1
Phases 2 & 3 (Key Transport)
Downgrade Attack
Lecture Info
Asymmetric Cryptography
Practical usage
HTTPS/TLS-Style
Hybrid Encryption
Two Ways to Use It
Digital Signature
The Pioneers
Asymmetric Problems
Modular Exponentiation (is easy)
Example
Discrete Logarithm (is hard)
Diffie-Hellman Key Agreement
DH Functional Limitation
Lecture Info
The RSA Cryptosystem
Euler's Theorem
Computing \(\Phi(N)\)
Consequence
RSA Construction
RSA Security
Toy Example
Extended Euclidean Algorithm
Computing RSA Inverse
RSA Signature
Lecture Info
The Problem with Public Keys
Digital Certificates
Iussing a Certificate
Verifying Certificate Validity
Cert replay attacks
Proving Knowlege of Secret Key
Via Digital Signature
Via Encryption
TLS Approach
Certificate Chains
Lecture Info
Public Key Infrastructure
X.509 Certificate
High-Level Format
Version and other Data
CA and User Indentity
User Public Key
CA Digital Signature
Real Example
Wildcard Certificates
Certificate Signing Request
X.509V3 Extensions
Root Certificates
Certificate Chains
Is chaining dangerous?
Certificate Revocation
Certificate Revocation List (CRL)
OpenSSL: Creating a Certificate Chain
Create CA keys
Generate the root certificate
Certificate profiles
Intermadiate CA keys and CSR
Web Server keys and CSR
Server's CSR Signing
Create the Certificate Chain
Lecture Info
HTTPS With Apache2
Setting up a VHost
Testing HTTPS
HTTP Redirection to HTTPS
HTTP plaintext auth over SSL
HTTPS Downgrade Attack
HSTS
Implementation in Linux
Requirements
Attack
Protect DH Against MITM
Cipher Suites (Revisited)
Handshake Messages
Lecture Info
Entity Authentication
TLS Handshake (cont.)
Phase 3: Client Auth
Biddown attacks
Phase 4: Finishing up
Handshake with Encrypt but w/o Auth
Abbreviated Handshake
Change Cipher Spec
TLS Key Computation
Secret Hierarchy
Extract-then-Expand
Pseudo Random Functions (PRFs) in TLS
HMAC-based Key Derivation Function (HKDF)
Lecture Info
Alert Protocol
TLS does not protect TCP
Truncation Attack
Close Notify
Renegotiation
Renegotiation Attack
Preventing the Attack
Prefix Data Injection
Example #1
Lecture Info
RSA Key Transport
Chosen Ciphertext Attacks break vanilla RSA
RSA is Malleable
RSA Padding
(Actual) RSA Key Transport
Bleichenbacher's Oracle
Toy Example
Parity Attack
Is it pratical?
In the wild
DROWN attack (2016)
ROBOT Attack (2018)
Countermeasures
Take-Home Messages
Lecture Info
Fakes Certificates
How to Secure a File
Merkle Tree
Possible Applications
Node Authentication
Extend with Time
Blockchain Usage
Certificate Transparency
Lecture Info
Approval of TLS 1.3
Changes
New Handshake in TLS 1.3
Pre-Shared Key
Detailed Structure
0-RTT Data
Mitigate the Replay Attack
Other Stuff in TLS 1.3
Lecture Info
VPNs
Virtual Networks
Private Networks
How to build a VPN
IPsec
Implemention approaches
IPsec RFCs
Security Associations
SPI and SAD Lookup
Key management
Security Protocols
Transport vs Tunnel
Security Policies
Operations
IPsec on Linux
Overview
NETKIT topology
Plain configuration
Static SAs
Lecture Info
Ipsec Security Protocols
AH
Tunnel/Transport mode
Integrity check computation
Sequence numbers
ESP
Tunnel/Transport mode
Header and Trailer
Algorithms supported
IP unrealiability
Traffic flow confidentiality
IKEv2
IKE phases
IKE SAs
Message format
Header
Version flag
IKE_SA_INIT
DDoS Attacks
IKE_AUTH
CHILD_SA generation
INFORMATIONAL
Lab #2: IPsec + IKE + PSK
Racoon config
Lab #3: IPsec + IKE + X.509 Certs
Lab #4: Road Warrior Scenario
Lecture Info
Trivial Secret Sharing
With XOR
With modular sums
Extension to \(n\) parties
Shamir Secret Sharing
\((2, n)\) scheme
Dealing
Reconstructing
\((t, n)\) scheme
Lagrange Interpolation
Dealing
Reconstructing
\((3, 4)\) scheme
Is it secure?
Lecture Info
The Real Shamir Scheme
Example with \(p=101\)
Ideality
Secret Sharing for SMC
Layman example of SMC
Homomorphic property
History of SMC?
What is SMC?
SMC for Weighted Sums
Deployment Issues
Construction
\((k, k)\) schemes are better
No privacy peers
Lecture Info
Verifiable Secret Sharing
Feldman Scheme
Dealer
Verifier
Commitment
Examples
Pedersen Commitment
Dealer
Verifier
Lecture Info
What is a Group?
The \(\mathbb{Z}_p^\) group
Example \(\mathbb{Z}_{11}^\)
Exponentiation
Generator of a Group
Order of a Group
Example \(\mathbb{Z}_{11}^\)
Strong Primes
Quadratic Residue Subgroup
The Problem with Feldman
Fixing it
Lecture Info
Pedersen Scheme
Computationally binding proof
Dealer
Verifier
DKG Scheme
The Problem
The Answer
Example
Applications of Secret Sharing
ElGamal Cryptosystem
Threhsold Cryptography
Elgamal Treshold
Towards the Solution
The Solution
Lecture Info
Why DLOG cryptosystems are better
Hybrid Ciphers
ECIES
Threshold Signature
RSA Signature
Threshold RSA (wrong)
Threshold RSA (right)
Further Extensions
RSA common modulus attack
Lecture Info
Some Statistics
Capture Resilient Device
MacKenzie + Reiter, 2003
Basic Scenario
Basic Solution
Device Initialization
Key Retrieval
Attacks
Better Solution
Secret Sharing (2, 2) for RSA
Device initialization
Key retrieval
Lecture Info
Revisiting Schamir Scheme
As Matrix Form
Reconstructing the Secret
As Span problem
LSSS Scheme
Trivial Secret Sharing in LSSS
Any LSS is Homomorphic
Span Programs in \(\mathbb{Z}_2\)
How to get Secret Sharing
Exam Question
Access Structure
LSSS Matrix from AC Predicate
AND Gate
OR Gate
Matrix Construction
Lecture Info
Why Bother with ECC?
Elliptic Curves
Elliptic Points Addition
\(P + Q\)
\(P + P\)
\(P + O = P\)
Algebraic Expressions
\(P \neq Q\) sketch
\(P = Q\) sketch
EC Over \(\mathbb{Z}_p\)
Example 1
Example 2
EC Group
Useful Properties
Lecture Info
EC Crypto
ECDH
Diginal Signature
DSA
Signing
Verifying
ECDSA
Signing
Verfying
What if \(k\) is predicted?
What if \(k\) is repeated?
Lecture Info
Bilinear Maps
Definition
Admissible Bilinear Maps
What Bilinear Maps to Use?
Decisional Diffie-Hellman
Easy with a Bilinear Map
Mov Reduction
Applications in Crypto
3-Party Diffie-Hellman
Identity Based Encryption
Encryption
Decryption
Extra
Lecture Info
What is CP-ABE?
Why is this important?
Goals of CP-ABE
Access Control via CP-ABE
Collusion Attacks
Technical Details
PK and MPK
Private key generation
Encryption
Decryption
Problems of ABE
CP-ABE Toolkit