Lecture Notes on Computer Security - Cryptography - Fall 2006 | CSE 543, Study notes of Computer Science

Material Type: Notes; Class: Computer Security; Subject: Computer Science and Engineering; University: Penn State - Main Campus; Term: Fall 2006;

Typology: Study notes

Pre 2010

Uploaded on 09/24/2009

koofers-user-2p5
koofers-user-2p5 🇺🇸

3

(1)

10 documents

1 / 12

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger
CSE 543 - Computer Security
Lecture 4 - Cryptography
September 14, 2006
URL: http://www.cse.psu.edu/~tjaeger/cse543-f06/
1
pf3
pf4
pf5
pf8
pf9
pfa

Partial preview of the text

Download Lecture Notes on Computer Security - Cryptography - Fall 2006 | CSE 543 and more Study notes Computer Science in PDF only on Docsity!

CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger

CSE 543 - Computer Security

Lecture 4 - Cryptography

September 14, 2006

URL: http://www.cse.psu.edu/~tjaeger/cse543-f06/ 1

CSE543 Computer (and Network) Security - Fall 2005 - Professor McDanielCSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger

Review: secret vs. public key crypto.

  • Secret key cryptography
    • Symmetric keys, where A single key (k) is used is used for E and D
    • D( E( p, k ), k ) = p
  • All (intended) receivers have access to key
  • Note: Management of keys determines who has access to encrypted data - E.g., password encrypted email
  • Also known as symmetric key cryptography - Public key cryptography - Each key pair consists of a public and private component: k+ (public key), k- (private key) D( E(p, k+), k- ) = p D( E(p, k-), k+ ) = p - Public keys are distributed (typically) through public key certificates - Anyone can communicate secretly with you if they have your certificate - E.g., SSL-base web commerce

CSE543 Computer (and Network) Security - Fall 2005 - Professor McDanielCSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger

Hash Algorithms

  • Hash algorithm
    • Compression of data into a hash value
    • E.g., h(d) = parity(d)
    • Such algorithms are generally useful in programs
  • … as used in cryptosystems
    • One-way - (computationally) hard to invert h() , i.e., compute h - (y), where y=h(d)
    • Collision resistant^ hard to find two data x 1 and x 2 such that h(x 1 ) == h(x 2 )
  • Q: What can you do with these constructs?

CSE543 Computer (and Network) Security - Fall 2005 - Professor McDanielCSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger

  • HMAC
    • Authenticates integrity for data d
    • Uses some key k and hash algorithm h
    • To simplify, hmac(k,d) = h( k+d )
  • Why does this provide authenticity?
    • Cannot produce hmac(k,d) unless you know k, d
    • If you could, then can break h
    • Exercise for class: prove the previous statement
  • Used in protocols to authenticate content

Hashed Message Authentication Code

CSE543 Computer (and Network) Security - Fall 2005 - Professor McDanielCSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger

Digital Signatures

  • Models physical signatures in digital world
    • Association between private key and document
    • … and indirectly identity and document.
    • Asserts that document is authentic and non- reputable
  • To sign a document
    • Given document d, private key k-
    • Signature S(d) = E( k -, h(d) )
  • Validation
    • Given document d, signature S(d), public key k+
    • Validate D(k +, S(d)) = H(d)

CSE543 Computer (and Network) Security - Fall 2005 - Professor McDanielCSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger

Basic truths of cryptography …

  • Cryptography is not frequently the source of

security problems

  • Algorithms are well known and widely studied
    • Use of crypto commonly is … (e.g., WEP)
  • Vetted through crypto community
  • Avoid any “proprietary” encryption
  • Claims of “new technology” or “perfect security” are almost assuredly snake oil

CSE543 Computer (and Network) Security - Fall 2005 - Professor McDanielCSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger

Building systems with cryptography

  • Use quality libraries
    • SSLeay, lim (from Lenstra), Victor Shoup’s library, RSAREF, cryptolib
    • Find out what cryptographers think of a package before using it
  • Code review like crazy
  • Educate yourself on how to use library
    • Caveats by original designer and programmer

CSE543 Computer (and Network) Security - Fall 2005 - Professor McDanielCSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger Common issues that lead to pitfalls

  • Generating randomness
  • Storage of secret keys
  • Virtual memory (pages secrets onto disk)
  • Protocol interactions
  • Poor user interface
  • Poor choice of key length, prime length, using parameters from one algorithm in another