Authentication and Key Distribution

Size: px

Start display at page:

Download "Authentication and Key Distribution"

Maurice Harper
5 years ago
Views:

1 Authentication and Key Distribution Breno de Medeiros Department of Computer Science Florida State University Authentication and Key Distribution p.1

2 Authentication protocols Authentication and key-exchange protocols are some of the most fundamental security tasks; they enable the establishment of secure channels and other security services. Breno de Medeiros, Florida State University :: Adv. Top. Crypt. Netw. Sec. p.2

3 Authentication protocols Authentication and key-exchange protocols are some of the most fundamental security tasks; they enable the establishment of secure channels and other security services. Have received long attention by the research community; however, the earlier development of authentication protocols was more art than science. Breno de Medeiros, Florida State University :: Adv. Top. Crypt. Netw. Sec. p.2

4 Authentication protocols Authentication and key-exchange protocols are some of the most fundamental security tasks; they enable the establishment of secure channels and other security services. Have received long attention by the research community; however, the earlier development of authentication protocols was more art than science. Several protocols, such as Needham-Schroeder, that were believed secure for years were then found to contain subtle flaws that could lead to real vulnerabilities in specific scenarios. Breno de Medeiros, Florida State University :: Adv. Top. Crypt. Netw. Sec. p.2

5 Authentication protocols Authentication and key-exchange protocols are some of the most fundamental security tasks; they enable the establishment of secure channels and other security services. Have received long attention by the research community; however, the earlier development of authentication protocols was more art than science. Several protocols, such as Needham-Schroeder, that were believed secure for years were then found to contain subtle flaws that could lead to real vulnerabilities in specific scenarios. Some protocols that are secure in isolation become insecure when several protocol runs are instantiated simultaneously and interleaved. Breno de Medeiros, Florida State University :: Adv. Top. Crypt. Netw. Sec. p.2

6 How to model secure entity authentication and key exchange Defining a model for authentication is complex. Unlike attacks against encryption, an attacker against authentication can always succeed by relaying messages between honest users. Breno de Medeiros, Florida State University :: Adv. Top. Crypt. Netw. Sec. p.3

7 How to model secure entity authentication and key exchange Defining a model for authentication is complex. Unlike attacks against encryption, an attacker against authentication can always succeed by relaying messages between honest users. In some cases this leads to real attacks for instance, if authentication leads directly to access to resources not further protected by encryption or other security mechanisms. Breno de Medeiros, Florida State University :: Adv. Top. Crypt. Netw. Sec. p.3

8 How to model secure entity authentication and key exchange Defining a model for authentication is complex. Unlike attacks against encryption, an attacker against authentication can always succeed by relaying messages between honest users. In some cases this leads to real attacks for instance, if authentication leads directly to access to resources not further protected by encryption or other security mechanisms. In designing authentication mechanisms, the possibility of such attacks must be considered and mitigated using other techniques in addition to secure authentication protocols. Breno de Medeiros, Florida State University :: Adv. Top. Crypt. Netw. Sec. p.3

9 How to model secure entity authentication and key exchange Defining a model for authentication is complex. Unlike attacks against encryption, an attacker against authentication can always succeed by relaying messages between honest users. In some cases this leads to real attacks for instance, if authentication leads directly to access to resources not further protected by encryption or other security mechanisms. In designing authentication mechanisms, the possibility of such attacks must be considered and mitigated using other techniques in addition to secure authentication protocols. Herein, an attack is only considered as such if it modifies messages. The notion of matching conversations was introduced in [?] to characterize situations where an adversarial success is not due to a protocol break. Breno de Medeiros, Florida State University :: Adv. Top. Crypt. Netw. Sec. p.3

10 How to model secure entity authentication and key exchange Defining a model for authentication is complex. Unlike attacks against encryption, an attacker against authentication can always succeed by relaying messages between honest users. In some cases this leads to real attacks for instance, if authentication leads directly to access to resources not further protected by encryption or other security mechanisms. In designing authentication mechanisms, the possibility of such attacks must be considered and mitigated using other techniques in addition to secure authentication protocols. Herein, an attack is only considered as such if it modifies messages. The notion of matching conversations was introduced in [?] to characterize situations where an adversarial success is not due to a protocol break. This paper only covers two-party authentication protocols. Breno de Medeiros, Florida State University :: Adv. Top. Crypt. Netw. Sec. p.3

11 Two-party protocols: Notation Parties i, j I {0, 1} k. Breno de Medeiros, Florida State University :: Adv. Top. Crypt. Netw. Sec. p.4

12 Two-party protocols: Notation Parties i, j I {0, 1} k. a K: Secret information (long-lived/long-term key) of sender. Breno de Medeiros, Florida State University :: Adv. Top. Crypt. Netw. Sec. p.4

13 Two-party protocols: Notation Parties i, j I {0, 1} k. a K: Secret information (long-lived/long-term key) of sender. κ : The conversation (view) of the parties, up to the current status of protocol execution. Breno de Medeiros, Florida State University :: Adv. Top. Crypt. Netw. Sec. p.4

14 Two-party protocols: Notation Parties i, j I {0, 1} k. a K: Secret information (long-lived/long-term key) of sender. κ : The conversation (view) of the parties, up to the current status of protocol execution. r: random value used by the sender. Breno de Medeiros, Florida State University :: Adv. Top. Crypt. Netw. Sec. p.4

15 Two-party protocols: Notation Parties i, j I {0, 1} k. a K: Secret information (long-lived/long-term key) of sender. κ : The conversation (view) of the parties, up to the current status of protocol execution. r: random value used by the sender. The protocol Π is modeled as a transition function Π(1 k, i, j, a, κ, r) = (m, δ, α), where: Breno de Medeiros, Florida State University :: Adv. Top. Crypt. Netw. Sec. p.4

16 Two-party protocols: Notation Parties i, j I {0, 1} k. a K: Secret information (long-lived/long-term key) of sender. κ : The conversation (view) of the parties, up to the current status of protocol execution. r: random value used by the sender. The protocol Π is modeled as a transition function Π(1 k, i, j, a, κ, r) = (m, δ, α), where: m {0,1} : The next message to send. Breno de Medeiros, Florida State University :: Adv. Top. Crypt. Netw. Sec. p.4

17 Two-party protocols: Notation Parties i, j I {0, 1} k. a K: Secret information (long-lived/long-term key) of sender. κ : The conversation (view) of the parties, up to the current status of protocol execution. r: random value used by the sender. The protocol Π is modeled as a transition function Π(1 k, i, j, a, κ, r) = (m, δ, α), where: m {0,1} : The next message to send. δ {A, R, }: Decision to make. Breno de Medeiros, Florida State University :: Adv. Top. Crypt. Netw. Sec. p.4

18 Two-party protocols: Notation Parties i, j I {0, 1} k. a K: Secret information (long-lived/long-term key) of sender. κ : The conversation (view) of the parties, up to the current status of protocol execution. r: random value used by the sender. The protocol Π is modeled as a transition function Π(1 k, i, j, a, κ, r) = (m, δ, α), where: m {0,1} : The next message to send. δ {A, R, }: Decision to make. α {0, 1} : Private output of the executing party. Breno de Medeiros, Florida State University :: Adv. Top. Crypt. Netw. Sec. p.4

19 Adversarial model A is a probabilistic machine with an infinite collection of oracles Π s i,j, which represent attempt by party i to authenticate itself to j during session s N. Breno de Medeiros, Florida State University :: Adv. Top. Crypt. Netw. Sec. p.5

20 Adversarial model A is a probabilistic machine with an infinite collection of oracles Π s i,j, which represent attempt by party i to authenticate itself to j during session s N. A s queries take the form of tuples (i, j, s, x), meaning that A sends x to i in session s claiming to have come from j. Breno de Medeiros, Florida State University :: Adv. Top. Crypt. Netw. Sec. p.5

21 Adversarial model A is a probabilistic machine with an infinite collection of oracles Π s i,j, which represent attempt by party i to authenticate itself to j during session s N. A s queries take the form of tuples (i, j, s, x), meaning that A sends x to i in session s claiming to have come from j. Initialization: Breno de Medeiros, Florida State University :: Adv. Top. Crypt. Netw. Sec. p.5

22 Adversarial model A is a probabilistic machine with an infinite collection of oracles Π s i,j, which represent attempt by party i to authenticate itself to j during session s N. A s queries take the form of tuples (i, j, s, x), meaning that A sends x to i in session s claiming to have come from j. Initialization: The simulator S initiates long-term keys for all the honest parties, as random or pseudo-randomly chosen values. Breno de Medeiros, Florida State University :: Adv. Top. Crypt. Netw. Sec. p.5

23 Adversarial model A is a probabilistic machine with an infinite collection of oracles Π s i,j, which represent attempt by party i to authenticate itself to j during session s N. A s queries take the form of tuples (i, j, s, x), meaning that A sends x to i in session s claiming to have come from j. Initialization: The simulator S initiates long-term keys for all the honest parties, as random or pseudo-randomly chosen values. S initializes a source of random bits for all honest parties. Breno de Medeiros, Florida State University :: Adv. Top. Crypt. Netw. Sec. p.5

24 Adversarial model A is a probabilistic machine with an infinite collection of oracles Π s i,j, which represent attempt by party i to authenticate itself to j during session s N. A s queries take the form of tuples (i, j, s, x), meaning that A sends x to i in session s claiming to have come from j. Initialization: The simulator S initiates long-term keys for all the honest parties, as random or pseudo-randomly chosen values. S initializes a source of random bits for all honest parties. κ s i,j = start are initialized, and will accumulate the conversations between (i,j) in session s. Breno de Medeiros, Florida State University :: Adv. Top. Crypt. Netw. Sec. p.5

25 Simulations S runs A, which is initialized with a source of random bits. Breno de Medeiros, Florida State University :: Adv. Top. Crypt. Netw. Sec. p.6

26 Simulations S runs A, which is initialized with a source of random bits. When A makes a query (i, j, s, x), Π s i,j computes (m, δ, α) = Π(1k, i, j, a i, κ s i,j.x, rs i,j ), returning (m, δ) to A and updating the conversation with κ s i,j.x. Breno de Medeiros, Florida State University :: Adv. Top. Crypt. Netw. Sec. p.6

27 Simulations S runs A, which is initialized with a source of random bits. When A makes a query (i, j, s, x), Π s i,j computes (m, δ, α) = Π(1k, i, j, a i, κ s i,j.x, rs i,j ), returning (m, δ) to A and updating the conversation with κ s i,j.x. A benign adversary A is restricted to: Breno de Medeiros, Florida State University :: Adv. Top. Crypt. Netw. Sec. p.6

28 Simulations S runs A, which is initialized with a source of random bits. When A makes a query (i, j, s, x), Π s i,j computes (m, δ, α) = Π(1k, i, j, a i, κ s i,j.x, rs i,j ), returning (m, δ) to A and updating the conversation with κ s i,j.x. A benign adversary A is restricted to: Choosing two oracles Π s 1 i,j and Πs 2 j,i. Breno de Medeiros, Florida State University :: Adv. Top. Crypt. Netw. Sec. p.6

29 Simulations S runs A, which is initialized with a source of random bits. When A makes a query (i, j, s, x), Π s i,j computes (m, δ, α) = Π(1k, i, j, a i, κ s i,j.x, rs i,j ), returning (m, δ) to A and updating the conversation with κ s i,j.x. A benign adversary A is restricted to: Choosing two oracles Π s 1 i,j and Πs 2 j,i. Causes Π s 1 i,j to start, obtaining (m 1, δ 1 ) as response to query (i,j, s 1,start). Breno de Medeiros, Florida State University :: Adv. Top. Crypt. Netw. Sec. p.6

30 Simulations S runs A, which is initialized with a source of random bits. When A makes a query (i, j, s, x), Π s i,j computes (m, δ, α) = Π(1k, i, j, a i, κ s i,j.x, rs i,j ), returning (m, δ) to A and updating the conversation with κ s i,j.x. A benign adversary A is restricted to: Choosing two oracles Π s 1 i,j and Πs 2 j,i. Causes Π s 1 i,j to start, obtaining (m 1, δ 1 ) as response to query (i,j, s 1,start). Conveys flows between the oracles, sending query (j, i,s 2, m i ), if (m i,δ i ) was the response to a preceding query (i,j, s 1, m i 1 ), obtaining answer (m i+1,δ i+1 ), which is then forwarded as query (i,j, s 1, m i+1 ), and so forth. Breno de Medeiros, Florida State University :: Adv. Top. Crypt. Netw. Sec. p.6

31 Conversations At the end of each simulation, the transcripts κ s i,j of each oracle Π s i,j are examined, including its final decision δs i,j. Breno de Medeiros, Florida State University :: Adv. Top. Crypt. Netw. Sec. p.7

32 Conversations At the end of each simulation, the transcripts κ s i,j of each oracle Π s i,j are examined, including its final decision δs i,j. Each conversation is marked as good, or bad, depending on whether A subverted the protocol goals during that run. Breno de Medeiros, Florida State University :: Adv. Top. Crypt. Netw. Sec. p.7

33 Conversations At the end of each simulation, the transcripts κ s i,j of each oracle Π s i,j are examined, including its final decision δs i,j. Each conversation is marked as good, or bad, depending on whether A subverted the protocol goals during that run. Security is defined in terms of probabilities of bad conversations, computed as distributions over the random input bits to honest parties, and the adversary. Breno de Medeiros, Florida State University :: Adv. Top. Crypt. Netw. Sec. p.7

34 Picture of matching conversations 2 s j Π i, 1 s j Π i, t r t a s 1 m 1 m 2 m 2 m i m i m Figure 0: A matching conversation between two oracles. Breno de Medeiros, Florida State University :: Adv. Top. Crypt. Netw. Sec. p.8

35 Mutual authentication Π is a secure mutual authentication protocol if: Breno de Medeiros, Florida State University :: Adv. Top. Crypt. Netw. Sec. p.9

36 Mutual authentication Π is a secure mutual authentication protocol if: Correctness: If oracles Π s 1 i,j and Πs 2 i,j have matching conversations, their final state δ s 1 i,j and δs 2 i,j must both be ACCEPT: A. Breno de Medeiros, Florida State University :: Adv. Top. Crypt. Netw. Sec. p.9

37 Mutual authentication Π is a secure mutual authentication protocol if: Correctness: If oracles Π s 1 i,j and Πs 2 i,j have matching conversations, their final state δ s 1 i,j and δs 2 i,j must both be ACCEPT: A. Soundness: The probability that there is an oracle Π s 1 i,j with decision δi,j s = A and no oracle Πs j,i with a matching conversation is negligible. Breno de Medeiros, Florida State University :: Adv. Top. Crypt. Netw. Sec. p.9

38 Mutual authentication Π is a secure mutual authentication protocol if: Correctness: If oracles Π s 1 i,j and Πs 2 i,j have matching conversations, their final state δ s 1 i,j and δs 2 i,j must both be ACCEPT: A. Soundness: The probability that there is an oracle Π s 1 i,j with decision δi,j s = A and no oracle Πs j,i with a matching conversation is negligible. In the following, some secure mutual authentication protocols are introduced. Let {f a ( )} a K denote a pseudo-random function family, and [x] a := (x,f a (x)). Breno de Medeiros, Florida State University :: Adv. Top. Crypt. Netw. Sec. p.9

39 A secure MAP i(a) j(a) Figure 1: Protocol MAP2: Flows for an authenticated exchange of three text strings. Breno de Medeiros, Florida State University :: Adv. Top. Crypt. Netw. Sec. p.10

40 A secure MAP i(a) R i.text 1 j(a) Figure 1: Protocol MAP2: Flows for an authenticated exchange of three text strings. Breno de Medeiros, Florida State University :: Adv. Top. Crypt. Netw. Sec. p.10

41 A secure MAP i(a) R i.text 1 j(a) [i.j.r i.r j.text 1.Text 2 ] a Figure 1: Protocol MAP2: Flows for an authenticated exchange of three text strings. Breno de Medeiros, Florida State University :: Adv. Top. Crypt. Netw. Sec. p.10

42 A secure MAP i(a) R i.text 1 j(a) [i.j.r i.r j.text 1.Text 2 ] a [i.r j.text 3 ] a Figure 1: Protocol MAP2: Flows for an authenticated exchange of three text strings. Breno de Medeiros, Florida State University :: Adv. Top. Crypt. Netw. Sec. p.10

43 Key exchange protocols Parties have private outputs α s i,j (session keys). Breno de Medeiros, Florida State University :: Adv. Top. Crypt. Netw. Sec. p.11

44 Key exchange protocols Parties have private outputs α s i,j (session keys). Compromise of some session keys should not affect the security of other session keys. Breno de Medeiros, Florida State University :: Adv. Top. Crypt. Netw. Sec. p.11

45 Key exchange protocols Parties have private outputs α s i,j (session keys). Compromise of some session keys should not affect the security of other session keys. A is able to ask for queries: (i, j, s,reveal), which result in the private output α s i,j computed by Π s i,j being returned to A (assuming that Π i,j has accepted in session s). Breno de Medeiros, Florida State University :: Adv. Top. Crypt. Netw. Sec. p.11

46 Key exchange protocols Parties have private outputs α s i,j (session keys). Compromise of some session keys should not affect the security of other session keys. A is able to ask for queries: (i, j, s,reveal), which result in the private output α s i,j computed by Π s i,j being returned to A (assuming that Π i,j has accepted in session s). At some point, A selects a fresh oracle Π s i,j (i.e., an Π s i,j accepted session s and α s i,j has not been revealed to A) and sends it a query (i,j, s,test). Breno de Medeiros, Florida State University :: Adv. Top. Crypt. Netw. Sec. p.11

47 Key exchange protocols Parties have private outputs α s i,j (session keys). Compromise of some session keys should not affect the security of other session keys. A is able to ask for queries: (i, j, s,reveal), which result in the private output α s i,j computed by Π s i,j being returned to A (assuming that Π i,j has accepted in session s). At some point, A selects a fresh oracle Π s i,j (i.e., an Π s i,j accepted session s and α s i,j has not been revealed to A) and sends it a query (i,j, s,test). The answer to the test query is, with equal probability, either α s i,j or chosen according to the native distribution of session keys. The adversary produces a guess bit b = 0 (random) or b = 1 (real) and wins if his guess is correct. Breno de Medeiros, Florida State University :: Adv. Top. Crypt. Netw. Sec. p.11

48 Secure key exchange Π is a secure key exchange protocol if: Breno de Medeiros, Florida State University :: Adv. Top. Crypt. Netw. Sec. p.12

49 Secure key exchange Π is a secure key exchange protocol if: Correctness: If A is a benign adversary, and has conveyed messages between oracles Π s 1 i,j and Πs 2 i,j, then both accept, α s 1 i,j = αs 2 i,j, and the distribution of this common output follows the prescribed distribution for session keys. Breno de Medeiros, Florida State University :: Adv. Top. Crypt. Netw. Sec. p.12

50 Secure key exchange Π is a secure key exchange protocol if: Correctness: If A is a benign adversary, and has conveyed messages between oracles Π s 1 i,j and Πs 2 i,j, then both accept, α s 1 i,j = αs 2 i,j, and the distribution of this common output follows the prescribed distribution for session keys. Soundness: A has only negligible advantage over a random guess in distinguishing real from random session keys. Breno de Medeiros, Florida State University :: Adv. Top. Crypt. Netw. Sec. p.12

51 Secure key exchange Π is a secure key exchange protocol if: Correctness: If A is a benign adversary, and has conveyed messages between oracles Π s 1 i,j and Πs 2 i,j, then both accept, α s 1 i,j = αs 2 i,j, and the distribution of this common output follows the prescribed distribution for session keys. Soundness: A has only negligible advantage over a random guess in distinguishing real from random session keys. In the following, let {f a 2 ( )} a2 be a pseudo-random function family, and {x} a2 := (r, x f a2 (r)) (XOR encryption), with random r. Breno de Medeiros, Florida State University :: Adv. Top. Crypt. Netw. Sec. p.12

52 An AKEP i(a 1,a 2 ) j(a 1,a 2 ) Figure 2: Protocol AKEP1: Flows for an authenticated key exchange; α is the agreed session key. Breno de Medeiros, Florida State University :: Adv. Top. Crypt. Netw. Sec. p.13

53 An AKEP i(a 1,a 2 ) R i j(a 1,a 2 ) Figure 2: Protocol AKEP1: Flows for an authenticated key exchange; α is the agreed session key. Breno de Medeiros, Florida State University :: Adv. Top. Crypt. Netw. Sec. p.13

54 An AKEP i(a 1,a 2 ) R i j(a 1,a 2 ) [i.j.r i.r j.{α} a2 ] a1 Figure 2: Protocol AKEP1: Flows for an authenticated key exchange; α is the agreed session key. Breno de Medeiros, Florida State University :: Adv. Top. Crypt. Netw. Sec. p.13

55 An AKEP i(a 1,a 2 ) R i j(a 1,a 2 ) [i.j.r i.r j.{α} a2 ] a1 [i.r j ] a1 ] a1 Figure 2: Protocol AKEP1: Flows for an authenticated key exchange; α is the agreed session key. Breno de Medeiros, Florida State University :: Adv. Top. Crypt. Netw. Sec. p.13

Proofs for Key Establishment Protocols

Proofs for Key Establishment Protocols Information Security Institute Queensland University of Technology December 2007 Outline Key Establishment 1 Key Establishment 2 3 4 Purpose of key establishment Two or more networked parties wish to establish