370 likes | 432 Views
Handbook of Applied Cryptography - CH1, from 1.7~1.13-. Howon Kim 2017. 9.11. 1.7 Authentication & Identification. Authentication 다양한 의미를 가짐 entity authentication(identification), message authentication(data origin authentication), data integrity, non-repudiation, and key authentication.
E N D
Handbook of Applied Cryptography- CH1, from 1.7~1.13- Howon Kim 2017. 9.11
1.7 Authentication & Identification • Authentication • 다양한 의미를 가짐 • entity authentication(identification), message authentication(data origin authentication), data integrity, non-repudiation, and key authentication.
1.7.1 Identification • 식별: • 둘 중에서 하나가 참여한 나머지 두번째 party의 identity를 보장함 • 그리고 그 두번째 party는 evidence가 수집될 때 active해짐
1.7.2 Data origin authentication • 메시지 인증: • 메시지를 전송한 party 의신원(identity)를 메시지 보증을 받는 party에게 제공함.
1.8 Public Key Cryptography • e: Bob의 public key • d: Bob의 private key
1.8.2 The necessity of authentication in public-key systems • Adversary가 A에게 자신의공개키(e’)을 보냄(마치 B의 공개키 e인척함) • A는 B에게 보낼 msg를 Adversary의 공개키로 암호화해서 보내게 됨 • PKC 시스템에서의 impersonation 취약성 문제 • Figure 1.13 illustrates how an active adversary can defeat the system (decrypt messages intended for a second entity) without breaking the encryption system. This is a type of impersonation
1.8.3 Digital signatures from reversible public-key encryption
1.8.3 Digital signatures from reversible public-key encryption
1.11.1 key management through symmetric-key technique nC2 The need for TTP(Trusted Third Party) for symmetric key management
1.11.2 key management through public-key tech. Advantages of this approach include: No trusted third party is required. The public file could reside with each entity. Only n public keys need to be stored to allow secure communications between any pair of entities, assuming the only attack is that by a passive adversary.
1.11.2 key management through public-key tech. To prevent this type of attack, the entities may use a TTP to certify the public key of each entity. The TTP has a private signing algorithm ST and a verification algorithm VT assumed to be known by all entities.
1.13 Classes of attacks & security models • Passive Attack vs. Active Attack • Passive Attack: • In passive attack, the attacker only monitors the communication channel • That is, this is a threats for confidentiality of data • Active Attack: • The attacker attempts to delete, add, or in some other way alther the transmission on the channel • This attack threaten data integrity and authentication as well as confidentiality
1.13.1 Attacks on encryption schemes (1/2) • The purpose of this attack is • Recover plaintext from ciphertext or even to deduce the decryption key (1) Ciphertext only attack • Deduce the decryption key or plaintext only observing from the ciphertext (2) Known plaintext attack • the adversary has a quantity of plaintext and corresponding ciphertext. (3) Chosen plaintext attack • The adversary chooses plaintext and is then given corresponding ciphertext. Subsequently, the adversary uses any information deduced in order to recover plaintext corresponding to previously unseen ciphertext. (4) Adaptive chosen plaintext attack • This is an is a chosen-plaintext attack wherein the choice of plaintext may depend on the ciphertext received from previous requests.
1.13.1 Attacks on encryption schemes (2/2) (5) Chosen ciphertext attack • This attack is one where the adversary selects the ciphertext and is then given the corresponding plaintext. • One way to mount such an attack is for the adversary to gain access to the equipment used for decryption (but not the decryption key, which may be securely embedded in the equipment). • The objective is then to be able, without access to such equipment, to deduce the plaintext from (different) ciphertext. (6) Adaptive Chosen ciphertext attack • This is a chosen-ciphertext attack where the choice of ciphertext may depend on the plaintext received from previous request
1.13.2 Attacks on protocols (1) Known key attack • In this attack an adversary obtains some keys used previously and then uses this information to determine new keys. (2) Replay attack • In this attack an adversary records a communication session and replays the entire session, or a portion thereof, at some later point in time. (3) Impersonation attack • Here an adversary assumes the identity of one of the legitimate parties in a network. (4) Dictionary attack • This is usually an attack against passwords.
1.13.2 Attacks on protocols (5)Forward search • This attack is similar in spirit to the dictionary attack and is used to decrypt messages. • Suppose that in an electronic bank transaction the 32 bit field which records the value of the transaction is to be encrypted using a public-key scheme. This simple protocol is intended to provide privacy of the value field – but does it? • An adversary could easily take all 2^32 possible entries that could be plaintext in this field and encrypt them using the public encryption function. (Remember that by the very nature of public-key encryption this function must be available to the adversary.) • By each of the 2^32 ciphertexts with the one which is actually encrypted in the transaction, the adversary can determine the plaintext. Here the public-key encryption function is not compromised, but rather the way it is used. (6) Interleaving attack • This 공개키로 암호화를 통해 보안성 유지하는 경우 공격자는 금액 field의 모든 경우의 값(2^32)을 생성한 후, 공개키로 암호화 시켜서 가지고 있고, 암호화된bit 패턴에 해당하는 것을 찾아서 어떤 금액인지 바로 알 수 있음 이로서, 공개키 암호 키에 대한 private key를공격없이 해당 공개키 암호시스템은 crack 된 것임 금액(32bits)
1.13.2 Attacks on protocols (5) Interleaving attack (1/2) • This type of attack usually involves some form of impersonation in an authentication protocol (see x12.9.1). (1)은 challenge이며, (2)는 challenge에 대한 response(rA가 B의 비밀키로 서명됨, B의 공개키로 풀어서 rA에 대한 서명값 확인하면, B가 맞구나라고 인증함. 추라 challenge를 A에 보냄(rB) (3)은 2nd response임. 즉,받은 rB를 A의 비밀키로 서명해서 보냄.
1.13.2 Attacks on protocols E ~ B 사이의 프로토콜은 앞의 프로토콜과 완전히 동일함. E는 B를 속여서 A인것처럼 동작함 (5) Interleaving attack (2/2) (2), (3) 프로토콜 내용을 바꾼다면 이런 공격은 피할 수는 있음. 혹은 메시지 ID를 부여하면 (2’)은 A~E 사이의 (2)번 메시지이지, E~B사이의 (3)번 메시지로 오인되지는 않음 혹은 (3)의 rA’을 rA로 바꾼다면, E가 보낸 rA와 A의 rA’을 같게 만들 방법이 없으므로 이 공격 해결가능함
1.13.3 Models for evaluation security • The model for evaluation of security (1/3) • The most practical security metrics are computational, provable, and ad-hoc methodology (1) Unconditional security
1.13.3 Models of evaluation security (2) Complexity theoretic security (3) Provable security
1.13.3 Models of evaluation security (4) Computational security
1.13.3 Models of evaluation security (5) Ad-hoc security
1.13.4 Perspective for computational security To evaluate the security of cryptographic schemes, certain quantities are often considered.