lecture for february 10 2016
play

Lecture for February 10, 2016 ECS 235A UC Davis Matt Bishop - PowerPoint PPT Presentation

Nov 10, 2022 •220 likes •856 views

Lecture for February 10, 2016 ECS 235A UC Davis Matt Bishop February 10, 2016 ECS 235A, Matt Bishop Slide #1 Supporting Crypto All parts of SSL use them Initial phase: public key system exchanges keys Messages enciphered using

  1. Lecture for February 10, 2016 ECS 235A UC Davis Matt Bishop February 10, 2016 ECS 235A, Matt Bishop Slide #1

  2. Supporting Crypto • All parts of SSL use them • Initial phase: public key system exchanges keys – Messages enciphered using classical ciphers, checksummed using cryptographic checksums – Only certain combinations allowed • Depends on algorithm for interchange cipher – Interchange algorithms: RSA, Diffie-Hellman, Fortezza February 10, 2016 ECS 235A, Matt Bishop Slide #2

  3. RSA: Cipher, MAC Algorithms in SSL Interchange cipher Classical cipher MAC Algorithm RSA, none MD5, SHA key ≤ 512 bits RC4, 40-bit key MD5 RC2, 40-bit key, CBC mode MD5 DES, 40-bit key, CBC mode SHA RSA None MD5, SHA RC4, 128-bit key MD5, SHA IDEA, CBC mode SHA DES, CBC mode SHA DES, EDE mode, CBC mode SHA February 10, 2016 ECS 235A, Matt Bishop Slide #3

  4. RSA: Cipher, MAC Algorithms � in TLS Interchange cipher Classical cipher MAC Algorithm RSA None MD5, SHA, SHA256 DES, EDE mode, CBC mode SHA AES (128-bit key), CBC SHA, SHA256 mode AES (256-bit key), CBC SHA, SHA256 mode February 10, 2016 ECS 235A, Matt Bishop Slide #4

  5. Diffie-Hellman: Types • Diffie-Hellman: certificate contains D-H parameters, signed by a CA – DSS or RSA algorithms used to sign • Ephemeral Diffie-Hellman: DSS or RSA certificate used to sign D-H parameters – Parameters not reused, so not in certificate • Anonymous Diffie-Hellman: D-H with neither party authenticated – Use is “ strongly discouraged ” as it is vulnerable to attacks February 10, 2016 ECS 235A, Matt Bishop Slide #5

  6. D-H: Cipher, MAC Algorithms in SSL Interchange cipher Classical cipher MAC Algorithm Diffie-Hellman, DES, 40-bit key, CBC mode SHA DSS or RSA DES, CBC mode SHA Certificate DES, EDE mode, CBC mode SHA Diffie-Hellman, key ≤ 512 bits DES, 40-bit key, CBC mode SHA RSA Certificate February 10, 2016 ECS 235A, Matt Bishop Slide #6

  7. D-H: Cipher, MAC Algorithms in TLS Interchange cipher Classical cipher MAC Algorithm Diffie-Hellman, DES, EDE mode, CBC mode SHA DSS or RSA AES, 128-bit key, CBC mode SHA, SHA256 Certificate AES, 256-bit key, CBC mode SHA, SHA256 February 10, 2016 ECS 235A, Matt Bishop Slide #7

  8. Ephemeral D-H: Cipher, MAC Algorithms in SSL Interchange cipher Classical cipher MAC Algorithm Ephemeral Diffie- DES, 40-bit key, CBC mode SHA Hellman, DES, CBC mode SHA DSS Certificate DES, EDE mode, CBC mode SHA Ephemeral Diffie- Hellman, DES, 40-bit key, CBC mode SHA key ≤ 512 bits, RSA Certificate February 10, 2016 ECS 235A, Matt Bishop Slide #8

  9. Ephemeral D-H: Cipher, MAC Algorithms in TLS Interchange cipher Classical cipher MAC Algorithm Ephemeral Diffie- DES, EDE mode, CBC mode SHA Hellman, AES, 128-bit key, CBC mode SHA, SHA256 DSS or RSA AES, 256-bit key, CBC mode SHA, SHA256 Certificate February 10, 2016 ECS 235A, Matt Bishop Slide #9

  10. Anonymous D-H: Cipher, MAC Algorithms in SSL Interchange cipher Classical cipher MAC Algorithm Anonymous D-H, RC4, 40-bit key MD5 DSS Certificate RC4, 128-bit key MD5 DES, 40-bit key, CBC mode SHA DES, CBC mode SHA DES, EDE mode, CBC mode SHA AnonymousDiffie- RC4, 40-bit key MD5 Hellman, key ≤ 512 bits, DES, 40-bit key, CBC mode SHA RSA Certificate February 10, 2016 ECS 235A, Matt Bishop Slide #10

  11. Anonymous D-H: Cipher, MAC Algorithms in TLS Interchange cipher Classical cipher MAC Algorithm Anonymous D-H, DES, EDE mode, CBC mode SHA DSS Certificate AES, 128-bit key, CBC mode SHA, SHA256 AES, 256-bit key, CBC mode SHA, SHA256 February 10, 2016 ECS 235A, Matt Bishop Slide #11

  12. Fortezza: Cipher, MAC Algorithms Interchange cipher Classical cipher MAC Algorithm Fortezza key none SHA exchange RC4, 128-bit key MD5 Fortezza, CBC mode SHA February 10, 2016 ECS 235A, Matt Bishop Slide #12

  13. Digital Signatures • RSA – Concatenate MD5 and SHA hashes – Sign with public key • Diffie-Hellman, Fortezza – Compute SHA hash – Sign appropriately February 10, 2016 ECS 235A, Matt Bishop Slide #13

  14. SSL Record Layer Message Compressed blocks MAC Compressed blocks, enciphered, with MAC February 10, 2016 ECS 235A, Matt Bishop Slide #14

  15. Record Protocol Overview • Lowest layer, taking messages from higher – Max block size 16,384 bytes – Bigger messages split into multiple blocks • Construction – Block b compressed; call it b c – MAC computed for b c • If MAC key not selected, no MAC computed – b c , MAC enciphered • If enciphering key not selected, no enciphering done – SSL record header prepended February 10, 2016 ECS 235A, Matt Bishop Slide #15

  16. SSL MAC Computation • Symbols – h hash function (MD5 or SHA) – k w write MAC key of entity – ipad = 0x36, opad = 0x5C • Repeated to block length (from HMAC) – seq sequence number – SSL_comp message type – SSL_len block length • MAC h ( k w || opad || h ( k w || ipad || seq || SSL_comp || SSL_len || block )) February 10, 2016 ECS 235A, Matt Bishop Slide #16

  17. TLS MAC Computation • Symbols – h hash function (SHA256) – k w MAC write key of entity – seq sequence number – TLS_comp message type – TLS_vers version of TLS – TLS_len block length • MAC h ( k w || seq || TLS_comp || TLS_vers || TLS_len || block ) February 10, 2016 ECS 235A, Matt Bishop Slide #17

  18. SSL Handshake Protocol • Used to initiate connection – Sets up parameters for record protocol – 4 rounds • Upper layer protocol – Invokes Record Protocol • Note: what follows assumes client, server using RSA as interchange cryptosystem February 10, 2016 ECS 235A, Matt Bishop Slide #18

  19. Overview of Rounds 1. Create SSL connection between client, server 2. Server authenticates itself 3. Client validates server, begins key exchange 4. Acknowledgments all around February 10, 2016 ECS 235A, Matt Bishop Slide #19

  20. Handshake Round 1 { v C || r 1 || sid || ciphers || comps } Client Server { v || r 2 || sid || cipher || comp } Client Server Client ’ s version of SSL v C v Highest version of SSL that Client, Server both understand r 1 , r 2 nonces (timestamp and 28 random bytes) s 1 Current session id (0 if new session) s 2 Current session id (if s1 = 0, new session id) ciphers Ciphers that client understands comps Compression algorithms that client understand cipher Cipher to be used comp Compression algorithm to be used February 10, 2016 ECS 235A, Matt Bishop Slide #20

  21. Handshake Round 2 { certificate } Client Server { mod || exp || { h ( r 1 || r 2 || mod || exp ) } k S } Client Server { ctype || gca } Client Server { er2 } Client Server Note: if Server not to authenticate itself, only last message sent; third step omitted if Server does not need Client certificate Server ’ s private key k S ctype Certificate type requested (by cryptosystem) gca Acceptable certification authorities er2 End round 2 message February 10, 2016 ECS 235A, Matt Bishop Slide #21

  22. Handshake Round 3 • Both parties compute a master secret from a given premaster – Used to generate keys for reading and writing February 10, 2016 ECS 235A, Matt Bishop Slide #22

  23. Handshake Round 3, SSL master master = MD5( pre || SHA(‘A’ || pre || r 1 || r 2 ) || MD5( pre || SHA(‘BB’ || pre || r 1 || r 2 ) || MD5( pre || SHA(‘CCC’ || pre || r 1 || r 2 ) key_block = MD5( master || SHA(‘A’ || master || r 1 || r 2 )) || MD5( master || SHA(‘BB’ || master || r 1 || r 2 )) || MD5( master || SHA(‘CCC’ || master || r 1 || r 2 )) || … February 10, 2016 ECS 235A, Matt Bishop Slide #23

  24. Handshake Round 3, TLS master A(i) = HMAC_hash(secret, A(i–1)); A(0) = seed P_hash(x, seed) = HMAC_hash(secret, A(1) || seed) || HMAC_hash(secret, A(2) || seed) || HMAC_hash(secret, A(3) || seed) || … PRF(secret, label, seed) = P_hash(secret, label || seed) master = PRF(pre, “master secret”, r1 || r2) key_block = PRF(master, “key expansion”, r1 || r2) February 10, 2016 ECS 235A, Matt Bishop Slide #24

  25. Handshake Round 3 { pre } K server Client Server Both Client, Server compute master secret master as in the previous slides { h ( master || opad || h ( msgs || master || ipad )) } Client Server msgs Concatenation of previous messages sent/received this handshake opad , ipad As above February 10, 2016 ECS 235A, Matt Bishop Slide #25

  26. Handshake Round 4 Client sends “ change cipher spec ” message using that protocol Client Server { h ( master || opad || h ( msgs || 0x434C4E54 || master || ipad )) } Client Server Server sends “ change cipher spec ” message using that protocol Server Client { h ( master || opad || h ( msgs || master || ipad )) } Client Server msgs Concatenation of messages sent/received this handshake in previous rounds (does notinclude these messages) opad , ipad , master As above February 10, 2016 ECS 235A, Matt Bishop Slide #26

  27. SSL Change Cipher Spec Protocol • Send single byte • In handshake, new parameters considered “ pending ” until this byte received – Old parameters in use, so cannot just switch to new ones February 10, 2016 ECS 235A, Matt Bishop Slide #27

  28. SSL Alert Protocol • Closure alert – Sender will send no more messages – Pending data delivered; new messages ignored • Error alerts – Warning: connection remains open – Fatal error: connection torn down as soon as sent or received February 10, 2016 ECS 235A, Matt Bishop Slide #28

Recommend

Lecture Slides - Part 2 Bengt Holmstrom MIT February 2, 2016. Bengt Holmstrom (MIT) Lecture

Lecture Slides - Part 2 Bengt Holmstrom MIT February 2, 2016. Bengt Holmstrom (MIT) Lecture

Lecture Slides - Part 2 Bengt Holmstrom MIT February 2, 2016. Bengt Holmstrom (MIT) Lecture Slides - Part 2 February 2, 2016. 1 / 59 Moral Hazard Related to adverse selection, but simpler A basic problem in principal-agent relationships:

626 views • 60 slides
Lecture Slides - Part 3 Bengt Holmstrom MIT February 2, 2016. Bengt Holmstrom (MIT) Lecture

Lecture Slides - Part 3 Bengt Holmstrom MIT February 2, 2016. Bengt Holmstrom (MIT) Lecture

Lecture Slides - Part 3 Bengt Holmstrom MIT February 2, 2016. Bengt Holmstrom (MIT) Lecture Slides - Part 3 February 2, 2016. 1 / 35 Adverse Selection We will solve a procurement problem using a screening mechanism Idea: buyer wants to

476 views • 36 slides
Lecture Slides - Part 4 Bengt Holmstrom MIT February 2, 2016. Bengt Holmstrom (MIT) Lecture

Lecture Slides - Part 4 Bengt Holmstrom MIT February 2, 2016. Bengt Holmstrom (MIT) Lecture

Lecture Slides - Part 4 Bengt Holmstrom MIT February 2, 2016. Bengt Holmstrom (MIT) Lecture Slides - Part 4 February 2, 2016. 1 / 65 Mechanism Design n agents i = 1 , . . . , n agent i has type i i which is i s private

856 views • 66 slides
Lecture Slides - Part 1 Bengt Holmstrom MIT February 2, 2016. Bengt Holmstrom (MIT) Lecture

Lecture Slides - Part 1 Bengt Holmstrom MIT February 2, 2016. Bengt Holmstrom (MIT) Lecture

Lecture Slides - Part 1 Bengt Holmstrom MIT February 2, 2016. Bengt Holmstrom (MIT) Lecture Slides - Part 1 February 2, 2016. 1 / 36 Going to raise the level a little because 14.281 is now taught by Juuso and so it is also higher level

731 views • 37 slides
Advanced Simulation - Lecture 6 George Deligiannidis February 3rd, 2016 Irreducibility and

Advanced Simulation - Lecture 6 George Deligiannidis February 3rd, 2016 Irreducibility and

Advanced Simulation - Lecture 6 George Deligiannidis February 3rd, 2016 Irreducibility and Recurrence Proposition Assume satisfies the positivity condition, then the Gibbs sampler yields a irreducible and recurrent Markov chain.

711 views • 59 slides
Control Structures in Java if-else and switch Lecture 4 CGS 3416 Spring 2016 February 2, 2016

Control Structures in Java if-else and switch Lecture 4 CGS 3416 Spring 2016 February 2, 2016

Control Structures in Java if-else and switch Lecture 4 CGS 3416 Spring 2016 February 2, 2016 Control Flow Control flow refers to the specification of the order in which the individual statements, instructions or function calls of an

639 views • 19 slides
Lecture 6: Coincidences, near misses and one-in-a-million chances. David Aldous February 5, 2016

Lecture 6: Coincidences, near misses and one-in-a-million chances. David Aldous February 5, 2016

Lecture 6: Coincidences, near misses and one-in-a-million chances. David Aldous February 5, 2016 Almost every textbook and popular science account of probability discusses the birthday problem , and the conclusion with 23 people in a room,

510 views • 28 slides
Advanced Simulation - Lecture 5 George Deligiannidis February 1st, 2016 Irreducibility and

Advanced Simulation - Lecture 5 George Deligiannidis February 1st, 2016 Irreducibility and

Advanced Simulation - Lecture 5 George Deligiannidis February 1st, 2016 Irreducibility and aperiodicity Definition Given a distribution over X , a Markov chain is -irreducible if K t ( x , A ) > 0. x X A : ( A ) > 0

651 views • 40 slides
CS 327E Lecture 10 Shirley Cohen February 29, 2016 Agenda Announcements Readings for

CS 327E Lecture 10 Shirley Cohen February 29, 2016 Agenda Announcements Readings for

CS 327E Lecture 10 Shirley Cohen February 29, 2016 Agenda Announcements Readings for today Reading Quiz Concept Questions Homework for next time Announcements Midterm exams will be returned at the end of class

379 views • 22 slides
Lecture 4: Risk to Individuals: Perception and Reality David Aldous February 1, 2016 Here we

Lecture 4: Risk to Individuals: Perception and Reality David Aldous February 1, 2016 Here we

Lecture 4: Risk to Individuals: Perception and Reality David Aldous February 1, 2016 Here we discuss risks in the everyday sense of dangers, and one might start by distinguishing two classes. 1: Risks incidental to ordinary life.

398 views • 29 slides
Lecture 3: Kernel Regression Curse of Dimensionality Aykut Erdem February 2016 Hacettepe

Lecture 3: Kernel Regression Curse of Dimensionality Aykut Erdem February 2016 Hacettepe

Lecture 3: Kernel Regression Curse of Dimensionality Aykut Erdem February 2016 Hacettepe University Administrative Assignment 1 will be out on Thursday It is due March 4 (i.e. in two weeks). It includes Pencil-and-paper

413 views • 27 slides
CS 327E Lecture 3 Shirley Cohen February 1, 2016 Agenda Announcements Homework for

CS 327E Lecture 3 Shirley Cohen February 1, 2016 Agenda Announcements Homework for

CS 327E Lecture 3 Shirley Cohen February 1, 2016 Agenda Announcements Homework for today Reading Quiz Concept Questions Homework for next time Announcements Class participation points Midterm #1 will

420 views • 16 slides
CS 327E Lecture 8 Shirley Cohen February 22, 2016 Where we are Phase 1: SQL Phase 2:

CS 327E Lecture 8 Shirley Cohen February 22, 2016 Where we are Phase 1: SQL Phase 2:

CS 327E Lecture 8 Shirley Cohen February 22, 2016 Where we are Phase 1: SQL Phase 2: Database Design Phase 3: Database-Intensive Applications Reminders Homework: assigned chapters from design book Reading quiz at

651 views • 31 slides
CS 327E Lecture 4 Shirley Cohen February 3, 2016 Agenda Announcements Homework for

CS 327E Lecture 4 Shirley Cohen February 3, 2016 Agenda Announcements Homework for

CS 327E Lecture 4 Shirley Cohen February 3, 2016 Agenda Announcements Homework for today Reading Quiz Concept Questions Homework for next time Announcements Reminder: Do the exercises at the end of the

306 views • 15 slides
Advanced Simulation - Lecture 7 George Deligiannidis February 8th, 2016 MetropolisHastings

Advanced Simulation - Lecture 7 George Deligiannidis February 8th, 2016 MetropolisHastings

Advanced Simulation - Lecture 7 George Deligiannidis February 8th, 2016 MetropolisHastings algorithm Target distribution on X = R d of density ( x ) . Proposal distribution: for any x , x X , we have q ( x | x ) 0 and X

395 views • 35 slides
Lecture 5: Regularization ML Methodology Aykut Erdem February 2016 Hacettepe University

Lecture 5: Regularization ML Methodology Aykut Erdem February 2016 Hacettepe University

Lecture 5: Regularization ML Methodology Aykut Erdem February 2016 Hacettepe University Recall from last time Linear Regression y ( x ) = w 0 + w 1 x w = ( w 0 , w 1 ) N i 2 h X t ( n ) ( w 0 + w 1 x ( n ) ) ` ( w ) = n =1

739 views • 48 slides
ORIENTATION SYE Spring 2016 February 4 th , 2016 I. SYE Research: - 10 weeks (February 29

ORIENTATION SYE Spring 2016 February 4 th , 2016 I. SYE Research: - 10 weeks (February 29

ORIENTATION SYE Spring 2016 February 4 th , 2016 I. SYE Research: - 10 weeks (February 29 May 6, 2016) - Research Reports (optional) - Poster session on Wednesday and Thursday, May 4 and 5, 2016; Submit to Ms. Lori Younge by e-mail by May

279 views • 13 slides
CS 327E Lecture 9 Shirley Cohen February 24, 2016 Agenda Announcements Readings for

CS 327E Lecture 9 Shirley Cohen February 24, 2016 Agenda Announcements Readings for

CS 327E Lecture 9 Shirley Cohen February 24, 2016 Agenda Announcements Readings for today Reading Quiz Concept Questions Homework for next time Homework for Today Chapters 4 and 5 from the Beginning Database

416 views • 20 slides
Lecture 3 - The Perfect BVH Welcome! , = (, ) ,

Lecture 3 - The Perfect BVH Welcome! , = (, ) ,

INFOMAGR Advanced Graphics Jacco Bikker - November 2016 - February 2017 Lecture 3 - The Perfect BVH Welcome! , = (, ) , + , , ,

603 views • 43 slides
Lecture 13 - BRDFs Welcome! , = (, ) ,

Lecture 13 - BRDFs Welcome! , = (, ) ,

INFOMAGR Advanced Graphics Jacco Bikker - November 2016 - February 2017 Lecture 13 - BRDFs Welcome! , = (, ) , + , , ,

514 views • 48 slides
Lecture 1 - Introduction Welcome! , = (, ) ,

Lecture 1 - Introduction Welcome! , = (, ) ,

INFOMAGR Advanced Graphics Jacco Bikker - November 2016 - February 2017 Lecture 1 - Introduction Welcome! , = (, ) , + , , ,

1.04k views • 49 slides
CS 327E Lecture 5 Shirley Cohen February 8, 2016 Agenda Readings for today Reading

CS 327E Lecture 5 Shirley Cohen February 8, 2016 Agenda Readings for today Reading

CS 327E Lecture 5 Shirley Cohen February 8, 2016 Agenda Readings for today Reading Quiz Concept Questions Homework for next time Homework for Today Chapter 10 from the Learning SQL book Exercises at the end of

439 views • 18 slides
Lecture 8: Luck. David Aldous February 29, 2016 In the context of everyday minor events just

Lecture 8: Luck. David Aldous February 29, 2016 In the context of everyday minor events just

Lecture 8: Luck. David Aldous February 29, 2016 In the context of everyday minor events just catching or just missing an elevator we talk about good luck or bad luck and everyone understands what we mean. Luck is probability taken

568 views • 28 slides
Lecture 7: Game theory David Aldous February 24, 2016 STAT 155 is an entire course on Game

Lecture 7: Game theory David Aldous February 24, 2016 STAT 155 is an entire course on Game

Lecture 7: Game theory David Aldous February 24, 2016 STAT 155 is an entire course on Game Theory. In this lecture we illustrate Game Theory by first focusing on one particular game for which we can get data. The game is relevant to one of the

722 views • 25 slides

More recommend