Security Handshake Pitfalls
|
|
- Virginia McDaniel
- 6 years ago
- Views:
Transcription
1
2 Hello
3 Challenge R
4 f(k, R
5 f(k, R Problems: 1. Authentication is not mutual only authenticates Anyone can send the challenge R.
6 f(k, R Problems: 1. Authentication is not mutual only authenticates Anyone can send the challenge R. 2. Connection can be hijacked if the rest of the transaction is without cryptographic protection and attacker makes packets with addr
7 f(k, R Problems: 1. Authentication is not mutual only authenticates Anyone can send the challenge R. 2. Connection can be hijacked if the rest of the transaction is without cryptographic protection and attacker makes packets with addr 3. Off line password guessing attack if K is derived from password because both R and f(k,r are observable.
8 f(k, R Problems: 1. Authentication is not mutual only authenticates Anyone can send the challenge R. 2. Connection can be hijacked if the rest of the transaction is without cryptographic protection and attacker makes packets with addr 3. Off line password guessing attack if K is derived from password because both R and f(k,r are observable. 4. Someone reading the database may be able to impersonate later or to another server that the client uses
9 Hello
10 K{R}
11 R
12 R Concerns: 1. Requires reversible cryptography no hash
13 R Concerns: 1. Requires reversible cryptography no hash 2. No need to eavesdrop if R is recognizable Attacker says hello and gets back K{R}, if K derived from password can generate lots of Ks for a dictionary attack.
14 R Concerns: 1. Requires reversible cryptography no hash 2. No need to eavesdrop if R is recognizable Attacker says hello and gets back K{R}, if K derived from password can generate lots of Ks for a dictionary attack. 3. If R is recognizable by, then protocol authenticates but only if life of R is short, otherwise K{R} can be replayed by attacker
15 Hello, K{time}
16 Hello, K{time} Advantage: 1. One direction, more efficient is drop in replacement for existing prot.
17 Hello, K{time} Advantage: 1. One direction, more efficient is drop in replacement for cleartext prot. 2. The server does not need to keep volatile state (such as R
18 Hello, K{time} Advantage: 1. One direction, more efficient is drop in replacement for cleartext prot. 2. The server does not need to keep volatile state (such as R Problems: 1. Attacker can use K{time} to impersonate within acc clock skew
19 Hello, K{time} Advantage: 1. One direction, more efficient is drop in replacement for cleartext prot. 2. The server does not need to keep volatile state (such as R Problems: 1. Attacker can use K{time} to impersonate within acc clock skew But can be foiled if remembers all timestamps sent.
20 Hello, K{time} Advantage: 1. One direction, more efficient is drop in replacement for cleartext prot. 2. The server does not need to keep volatile state (such as R Problems: 1. Attacker can use K{time} to impersonate within acc clock skew But can be foiled if remembers all timestamps sent. 2. If multiple s, same K, K{time} on one can work on others
21 Hello, K{time} Advantage: 1. One direction, more efficient is drop in replacement for cleartext prot. 2. The server does not need to keep volatile state (such as R Problems: 1. Attacker can use K{time} to impersonate within acc clock skew But can be foiled if remembers all timestamps sent. 2. If multiple s, same K, K{time} on one can work on others Can be foiled by sending K{time server}
22 Hello, K{time} Advantage: 1. One direction, more efficient is drop in replacement for cleartext prot. 2. The server does not need to keep volatile state (such as R Problems: 1. Attacker can use K{time} to impersonate within acc clock skew But can be foiled if remembers all timestamps sent. 2. If multiple s, same K, K{time} on one can work on others Can be foiled by sending K{time server} 3. Vulnerable to attacker setting time back on!!
23 Hello, K{time} Problems: 4. Setting time requires a security handshake better make it chllng/resp (that is, not depending on time or else there is a problem if clocks of machines are too far apart the negotiation will fail.
24 Hello, time, hash{k,time}
25 Hello, time, hash{k,time} Advantage: 1. Otherwise, if time not sent, for to check hash, must try lots of different acceptable times before one matches the hash
26 (K c, S c Hello (K s, S s
27 (K c, S c Challenge R (K s, S s
28 (K c, S c signed[r] Sc (K s, S s Advantage: Like secret key protocol except database not vulnerable to peeking
29 (K c, S c signed[r] Sc (K s, S s Advantage: Like secret key protocol except database not vulnerable to peeking Problem: Can trick someone into signing something. Wait for to say Hello, send back something you want client to sign, get the signed item use it.
30 (K c, S c Hello (K s, S s
31 (K encrypt{r} c, S c Kc (K s, S s
32 (K R c, S c (K s, S s Concerns: 1. Some public key systems can only do signatures, not reversible encryption
33 (K R c, S c (K s, S s Concerns: 1. Some public key systems can only do signatures, not reversible encryption 2. Attacker can get an encrypted message sent to client, impersonate, send the message to who decrypts it. Gets back the decrypted message.
34 (K R c, S c (K s, S s Should the same keys be used for encryption and signing? 0. Someone encrypts message M with client public key, sends to client 1. Attacker intercepts M e mod N where <e,n> is the client's key pair 2. Attacker chooses number R, prime relative to modulus N 3. Attacker creates bogus message H = M e *R e (recall e is public 4. Attacker impersonates server, sends H to client for signing 5. Attacker gets H d mod N = (M*R ed mod N = M*R mod N 6. Attacker multiplies by R 1 to get M
35 (K R c, S c (K s, S s Concerns: 1. Some public key systems can only do signatures, not reversible encryption 2. Attacker can get an encrypted message sent to client, impersonate, send the message to who decrypts it. Gets back the decrypted message. Never use the same key for signing and encryption/decryption
36 (K R c, S c (K s, S s Concerns: 1. Some public key systems can only do signatures, not reversible encryption 2. Attacker can get an encrypted message sent to client, impersonate, send the message to who decrypts it. Gets back the decrypted message. Never use the same key for signing and encryption/decryption Observe: several secure independent systems may be insecure when put together (attacker may use one protocol to break another.
37 Hello, R c Mutual Authentication:
38 R s, f(k, R c Mutual Authentication:
39 f(k,r s Mutual Authentication:
40 Imposter Hello, R i Reflection Attack: Attacker wants to impersonate to. Attacker sends Hello and a challenge.
41 Imposter R s, f(k, R i Reflection Attack: Attacker wants to impersonate to. Attacker sends Hello and a challenge. Attacker gets back f(k, R i (who cares and R s.
42 Imposter R s, f(k, R i Hello, R s Reflection Attack: Attacker wants to impersonate to. Attacker sends Hello and a challenge. Attacker gets back f(k, R i (who cares and R s. Attacker opens second connection to using R s.
43 Imposter R s, f(k, R i Reflection Attack: Attacker wants to impersonate to. Attacker sends Hello and a challenge. Attacker gets back f(k, R i (who cares and R s. Attacker opens second connection to using R s. Attacker gets back R s encrypted. R p, f(k, R s
44 Imposter f(k, R s Reflection Attack: Attacker wants to impersonate to. Attacker sends Hello and a challenge. Attacker gets back f(k, R i (who cares and R s. Attacker opens second connection to using R s. Attacker gets back R s encrypted. R p, f(k, R s Attacker abandons second connection and sends back f(k, R s to complete.
45 Imposter f(k, R s R p, f(k, R s Reflection Attack, how to foil it: 1. Instead of the same key K, use different keys K s, K c K s may be almost K c (say times 1 or 1 different etc. 2. Insist the challenge from the is different from that of the
46 Imposter f(k, R s R p, f(k, R s Reflection Attack, how to foil it: 1. Instead of the same key K, use different keys K s, K c K s may be almost K c (say times 1 or 1 different etc. 2. Insist the challenge from the is different from that of the Also, off line password guessing attack vulnerability: Attacker sends message to claiming to be and enclosing a challenge R, returns the challenge encrypted f(k, R, this gives the attacker ability to check passwords
47 Hello Reflection Attack can't succeed with this protocol:
48 R s Reflection Attack can't succeed with this protocol:
49 f(k,r s Reflection Attack can't succeed with this protocol:
50 R c Reflection Attack can't succeed with this protocol:
51 f(k,r c Reflection Attack can't succeed with this protocol: Reason: Initiator always is first to prove its identity!!
52 Hello, encrypt{r c } (K Ks c, S c (K s, S s Public key mutual authentication:
53 R c, encrypt{r s } (K Kc c, S c (K s, S s Public key mutual authentication:
54 R (K s c, S c (K s, S s Public key mutual authentication:
55 R (K s c, S c (K s, S s Public key mutual authentication: Variant: R s and R c are signed by their respective parties
56 R (K s c, S c (K s, S s Public key mutual authentication: Variant: R s and R c are signed by their respective parties How does the client's workstation retrieve the client's private key when all the client knows is a password? usually keys cannot be recovered from passwords, e.g. RSA Use a directory service client workstation retrieves the following: 1. 's private key which is encrypted with 's password 2. Certificate for 's public key, signed with 's private key
57 hello R K{R} Establish a session key (secret key system: After authentication R and K{R} is known by and Can't use K{R} as session key someone may have seen it Can't use K{R+1} as session key Attacker seeing transmission using session key K{R+1} impersonates 's network address to and sends R+1 as the challenge to. responds with K{R+1}. So attacker can decrypt previous transmission.
58 hello R K{R} Establish a session key (secret key system: After authentication R and K{R} is known by and Can't use K{R} as session key someone may have seen it Can't use K{R+1} as session key Attacker seeing transmission using session key K{R+1} impersonates 's network address to and sends R+1 as the challenge to. responds with K{R+1}. So attacker can decrypt previous transmission. Session key should not be an encrypted value which can be predicted or extracted later.
59 (K c, S c g, p, [g a mod p] Sc, [g b mod p] Ss (K s, S s Establish a session key (public key system: Authenticate with Diffie Hellman exchange, RSA signing. Use g ab mod p as the session key. Attempt to get root access on either machine does not reveal the a and b needed to generate session key to decrypt recorded messages they were never recorded and the session key was tossed. If session key had been sent across, it could have been recorded and decrypted after getting root access. If session keys get sent across without being signed, attacker can send an R while impersonating 's network address.
60 Request B A KDC (K a K a {K AB } (K s K b {K AB } B (K b KDC operation, in principle Makes K AB
61 A KDC (K a N a, Req B (K s B (K b Needham Schroeder authentication and session key (secret key system: A sends a nonce N a and request to connect to B to the KDC
62 K ab, N a A KDC (K a (K s B (K b Needham Schroeder authentication and session key (secret key system: A sends a nonce N a and request to connect to B to the KDC KDC makes a session key K ab for the connection
63 K ab, N a A KDC K a {N a, B, K ab, T} (K a (K s T=K b {K ab, A} B (K b Needham Schroeder authentication and session key (secret key system: A sends a nonce N a and request to connect to B to the KDC KDC makes a session key K ab for the connection KDC encrypts N a, B, a ticket T with key K a and sends all to A. To make T the KDC encrypts the session key and A with with K b.
64 A KDC (K a (K s B (K b T, K ab {N b } Needham Schroeder authentication and session key (secret key system: A sends a nonce N a and request to connect to B to the KDC KDC makes a session key K ab for the connection KDC encrypts N a, B, a ticket T with key K a and sends all to A. To make T the KDC encrypts the session key and A with with K b. A encrypts a nonce N b with the session key K ab, sends with ticket to B
65 A KDC (K a (K s Needham Schroeder authentication and session key (secret key system: A sends a nonce N a and request to connect to B to the KDC KDC makes a session key K ab for the connection KDC encrypts N a, B, a ticket T with key K a and sends all to A. K ab {N b 1,N c } To make T the KDC encrypts the session key and A with with K b. B (K b A encrypts a nonce N b with the session key K ab, sends with ticket to B B subtracts 1 from nonce, make new nonce, encrypts with session key sends encrypted message to A.
66 A KDC (K a (K s B (K b K ab {N c 1} Needham Schroeder authentication and session key (secret key system: A sends a nonce N a and request to connect to B to the KDC KDC makes a session key K ab for the connection KDC encrypts N a, B, a ticket T with key K a and sends all to A. To make T the KDC encrypts the session key and A with with K b. A encrypts a nonce N b with the session key K ab, sends with ticket to B B subtracts 1 from nonce, make new nonce, encrypts with session key sends encrypted message to A. A subtracts 1 from nonce, encrypts with session key, sends to B
67 A KDC (K a N a, Req B (K s B (K b Needham Schroeder: What is going on? Nonce N a protects against: attacker, having stolen previous K b and message from A requesting it, waits for A to request a session key from the KDC and immediately plays back KDC's reply to A, and gets the session key encrypted with B's old K b, which it knows, so it can impersonate B to A. K a {N a, B, K ab, T} T=K b {K ab, A} Attacker need not know key of A
68 A KDC K (K a a {N a, B, K ab, T} (K s T=K b {K ab, A} B (K b Needham Schroeder: What is going on? With the identity of B inserted, attacker id substitution is detected by A Nonce is returned to check authenticity of KDC Double encryption of session key (K b for ticket, then K a on the ticket is not considered necessary
69 A KDC (K a (K s B (K b T, K ab {N b } Needham Schroeder: What is going on? A knows that only someone with B's key K b can decrypt and get the session key. With session key, B decrypts N b.
70 A KDC (K a (K s B (K b Needham Schroeder: Vulnerability If attacker finds out A's key K a, then attacker can impersonate itself to the KDC. But if A changes K a, then we require attacker not to be able to impersonate. But the ticket to B remains valid after a such a change. Attacker can save K a {N a, B, K ab, K b {K ab, A}} until it knows the old K a key, then decrypt to get K b {K ab, A} and send that to B to convince it that it is connecting with A using K ab.
71 A KDC (K a (K s B (K b Needham Schroeder: Vulnerability If attacker finds out A's key K a, then attacker can impersonate itself to the KDC. But if A changes K a, then we require attacker not to be able to impersonate. But the ticket to B remains valid after a such a change. Attacker can save K a {N a, B, K ab, K b {K ab, A}} until it knows the old K a key, then decrypt to get K b {K ab, A} and send that to B to convince it that it is connecting with A using K ab Fixed by A connecting to B requesting an encrypted nonce and using that nonce throughout the exchange.
72 A KDC (K a (K s B (K b Otway Rees: N c, A, B, K a {N a, N c, A, B}
73 A KDC (K a (K s K a {N a, N c, A, B}, K b {N b, N c, A, B} B (K b Otway Rees: If N c is not the same in both messages, KDC will stop the transaction.
74 K ab A KDC (K a (K s B (K b Otway Rees:
75 K ab A KDC (K a (K s N c, K a {N a, K ab }, K b {N b, K ab } B (K b Otway Rees: B is reassured that it is talking to KDC since its nonce was extracted using K b and sent back encrypted.
76 K ab A KDC (K a (K s B (K b Otway Rees: K a {N a, K ab } This message reassures A that both the KDC and B are OK because it can check its nonce, which it had encrypted with other things, and to get it back means the KDC used K a and the KDC validated B.
77 K ab A KDC (K a (K s B (K b Otway Rees: K ab {anything recognizable} A proves identity to B by showing it knows K ab.
78 Nonce types: Security Handshake Pitfalls Random number will probably never be reused Timestamp requires synchronized clocks Sequence number requires non volatile memory (system crash?
79 Protocol Checklist: Eavesdropping: attacker should not be able to do any of the following learn the contents of messages between connecting parties learn information enabling impersonation in a future exchange learn anything that permits off line password guessing
80 Protocol Checklist: Eavesdropping: attacker should not be able to do any of the following learn the contents of messages between connecting parties learn information enabling impersonation in a future exchange learn anything that permits off line password guessing Impersonation of Originator: attacker should not be able to do any of these: convince other party it is the real originator learn information that would enable impersonator to do an off line password guessing attack against or 's secret information learn information that would enable impersonation of in the future learn information that would enable impersonation of to trick into signing or decrypting something
81 Protocol Checklist: Eavesdropping: attacker should not be able to do any of the following learn the contents of messages between connecting parties learn information enabling impersonation in a future exchange learn anything that permits off line password guessing Impersonation of Originator: attacker should not be able to do any of these: convince other party it is the real originator learn information that would enable impersonator to do an off line password guessing attack against or 's secret information learn information that would enable impersonation of in the future learn information that would enable impersonation of to trick into signing or decrypting something Pounce attacker gets part way through authentication but should not: convince the attacker is the learn info enabling an off line password guessing attack learn info enabling impersonation of in future or to trick into signing or decrypting something
82 Protocol Checklist: Read Database: Bad news! Then attacker can convince it is the. Attacker can do off line password guessing attack against 's secret (if it is derived from a password since must have enough info to know if party really is the. But: Attacker should not be able to impersonate the to the Attacker should not be able to decrypt recorded messages between S and C
83 Protocol Checklist: Read Database: Bad news! Then attacker can convince it is the. Attacker can do off line password guessing attack against 's secret (if it is derived from a password since must have enough info to know if party really is the. But: Attacker should not be able to impersonate the to the Attacker should not be able to decrypt recorded messages between S and C Read Database: Bad News!! Then attacker can convince that it is the. Attacker can do off line password guessing attack against 's secret. But: Attacker should not be able to impersonate the to the Attacker should not be able to decrypt recorded messages between S and C
84 Protocol Checklist: Read Database: Bad news! Then attacker can convince it is the. Attacker can do off line password guessing attack against 's secret (if it is derived from a password since must have enough info to know if party really is the. But: Attacker should not be able to impersonate the to the Attacker should not be able to decrypt recorded messages between S and C Read Database: Bad News!! Then attacker can convince that it is the. Attacker can do off line password guessing attack against 's secret. But: Attacker should not be able to impersonate the to the Attacker should not be able to decrypt recorded messages between S and C Sit on net and modify messages Attacker should not be able to: do an off line password guessing attack on anybody's secret information read any messages hijack a conversation without the other side knowing this cause messages between and to be misinterpreted
CSC 474/574 Information Systems Security
CSC 474/574 Information Systems Security Topic 3.3: Security Handshake Pitfalls CSC 474/574 Dr. Peng Ning 1 Authentication Handshakes Secure communication almost always includes an initial authentication
More informationAuthentication Handshakes
AIT 682: Network and Systems Security Topic 6.2 Authentication Protocols Instructor: Dr. Kun Sun Authentication Handshakes Secure communication almost always includes an initial authentication handshake.
More informationOutline. Login w/ Shared Secret: Variant 1. Login With Shared Secret: Variant 2. Login Only Authentication (One Way) Mutual Authentication
Outline Security Handshake Pitfalls (Chapter 11 & 12.2) Login Only Authentication (One Way) Login i w/ Shared Secret One-way Public Key Lamport s Hash Mutual Authentication Shared Secret Public Keys Timestamps
More informationCIS 6930/4930 Computer and Network Security. Topic 6.2 Authentication Protocols
CIS 6930/4930 Computer and Network Security Topic 6.2 Authentication Protocols 1 Authentication Handshakes Secure communication almost always includes an initial authentication handshake. Authenticate
More informationSecurity Handshake Pitfalls
Security Handshake Pitfalls Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr 1 Cryptographic Authentication Password authentication is subject to eavesdropping Alternative: Cryptographic challenge-response
More information6. Security Handshake Pitfalls Contents
Contents 1 / 45 6.1 Introduction 6.2 Log-in Only 6.3 Mutual Authentication 6.4 Integrity/Encryption of Data 6.5 Mediated Authentication (with KDC) 6.6 Bellovin-Merrit 6.7 Network Log-in and Password Guessing
More informationSecurity Handshake Pitfalls
Cryptographic Authentication Security Handshake Pitfalls Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr Password authentication is subject to eavesdropping Alternative: Cryptographic challenge-response
More informationSecurity Handshake Pitfalls
Security Handshake Pitfalls 1 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: Authenticate each other Establish sessions keys This process may
More informationDr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010
CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Security Handshake Pitfalls Login only Mutual
More information0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken
0/41 Alice Who? Authentication Protocols Andreas Zeller/Stephan Neuhaus Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken The Menu 1/41 Simple Authentication Protocols The Menu 1/41 Simple
More informationIdeal Security Protocol. Identify Friend or Foe (IFF) MIG in the Middle 4/2/2012
Ideal Security Protocol Satisfies security requirements Requirements must be precise Efficient Small computational requirement Small bandwidth usage, network delays Not fragile Works when attacker tries
More informationCSCI 667: Concepts of Computer Security. Lecture 9. Prof. Adwait Nadkarni
CSCI 667: Concepts of Computer Security Lecture 9 Prof. Adwait Nadkarni 1 Derived from slides by William Enck, Micah Sherr, Patrick McDaniel, Peng Ning, and Vitaly Shmatikov Authentication Alice? Bob?
More informationWhat did we talk about last time? Public key cryptography A little number theory
Week 4 - Friday What did we talk about last time? Public key cryptography A little number theory If p is prime and a is a positive integer not divisible by p, then: a p 1 1 (mod p) Assume a is positive
More informationProtocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh
Protocols II Computer Security Lecture 12 David Aspinall School of Informatics University of Edinburgh 17th February 2011 Outline Introduction Shared-key Authentication Asymmetric authentication protocols
More informationPassword. authentication through passwords
Password authentication through passwords Human beings Short keys; possibly used to generate longer keys Dictionary attack: adversary tries more common keys (easy with a large set of users) Trojan horse
More informationCryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1
Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography CS555 Spring 2012/Topic 16 1 Outline and Readings Outline Private key management between two parties Key management
More informationCryptographic Protocols 1
Cryptographic Protocols 1 Luke Anderson luke@lukeanderson.com.au 5 th May 2017 University Of Sydney Overview 1. Crypto-Bulletin 2. Problem with Diffie-Hellman 2.1 Session Hijacking 2.2 Encrypted Key Exchange
More informationData Security and Privacy. Topic 14: Authentication and Key Establishment
Data Security and Privacy Topic 14: Authentication and Key Establishment 1 Announcements Mid-term Exam Tuesday March 6, during class 2 Need for Key Establishment Encrypt K (M) C = Encrypt K (M) M = Decrypt
More informationCristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.
CS355: Cryptography Lecture 17: X509. PGP. Authentication protocols. Key establishment. Public Keys and Trust Public Key:P A Secret key: S A Public Key:P B Secret key: S B How are public keys stored How
More informationCS 161 Computer Security
Paxson Spring 2011 CS 161 Computer Security Discussion 9 March 30, 2011 Question 1 Another Use for Hash Functions (8 min) The traditional Unix system for password authentication works more or less like
More informationReal-time protocol. Chapter 16: Real-Time Communication Security
Chapter 16: Real-Time Communication Security Mohammad Almalag Dept. of Computer Science Old Dominion University Spring 2013 1 Real-time protocol Parties negotiate interactively (Mutual) Authentication
More informationSecurity and Privacy in Computer Systems. Lecture 7 The Kerberos authentication system. Security policy, security models, trust Access control models
CS 645 Security and Privacy in Computer Systems Lecture 7 The Kerberos authentication system Last Week Security policy, security models, trust Access control models The Bell-La Padula (BLP) model The Biba
More informationAcknowledgments. CSE565: Computer Security Lectures 16 & 17 Authentication & Applications
CSE565: Computer Security Lectures 16 & 17 Authentication & Applications Shambhu Upadhyaya Computer Science & Eng. University at Buffalo Buffalo, New York 14260 Lec 16.1 Acknowledgments Material for some
More information10/1/2015. Authentication. Outline. Authentication. Authentication Mechanisms. Authentication Mechanisms. Authentication Mechanisms
Authentication IT443 Network Security Administration Instructor: Bo Sheng Authentication Mechanisms Key Distribution Center and Certificate Authorities Session Key 1 2 Authentication Authentication is
More informationCryptography and Network Security
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown Chapter 14 Authentication Applications We cannot enter into alliance with neighbouring princes until
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 24 April 16, 2012 CPSC 467b, Lecture 24 1/33 Kerberos Secure Shell (SSH) Transport Layer Security (TLS) Digital Rights Management
More informationUser Authentication Protocols Week 7
User Authentication Protocols Week 7 CEN-5079: 2.October.2017 1 Announcement Homework 1 is posted on the class webpage Due in 2 weeks 10 points (out of 100) subtracted each late day CEN-5079: 2.October.2017
More informationCMSC 414 S09 Exam 2 Page 1 of 6 Name:
CMSC 414 S09 Exam 2 Page 1 of 6 Name: Total points: 100. Total time: 115 minutes. 6 problems over 6 pages. No book, notes, or calculator Unless stated otherwise, the following conventions are used: K{X}
More informationKey Management and Elliptic Curves
Key Management and Elliptic Curves Key Management Distribution of ublic Keys ublic-key Distribution of Secret Keys Diffie-Hellman Key Echange Elliptic Curves Mathematical foundations Elliptic curves over
More informationInformation Security CS 526
Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication Topic 14: Secure Communication 1 Readings for This Lecture On Wikipedia Needham-Schroeder protocol (only the symmetric
More informationAuthentication Protocols. Outline. Who Is Authenticated?
Authentication Protocols Guevara Noubir College of Computer and Information Science Northeastern University noubir@ccs.neu.edu Outline Overview of Authentication Systems [Chapter 9] Authentication of People
More informationCS 494/594 Computer and Network Security
CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Real-Time Communication Security Network layers
More informationNetwork Security CHAPTER 31. Solutions to Review Questions and Exercises. Review Questions
CHAPTER 3 Network Security Solutions to Review Questions and Exercises Review Questions. A nonce is a large random number that is used only once to help distinguish a fresh authentication request from
More informationSpring 2010: CS419 Computer Security
Spring 2010: CS419 Computer Security Vinod Ganapathy Lecture 7 Topic: Key exchange protocols Material: Class handout (lecture7_handout.pdf) Chapter 2 in Anderson's book. Today s agenda Key exchange basics
More informationComputer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08r. Pre-exam 2 Last-minute Review Cryptography Paul Krzyzanowski Rutgers University Spring 2018 March 26, 2018 CS 419 2018 Paul Krzyzanowski 1 Cryptographic Systems March 26, 2018 CS
More informationCryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 38 A Tutorial on Network Protocols
More informationLecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena
Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall 2009 Nitesh Saxena *Adopted from a previous lecture by Gene Tsudik Course Admin HW3 Problem 3 due Friday midnight
More informationL13. Reviews. Rocky K. C. Chang, April 10, 2015
L13. Reviews Rocky K. C. Chang, April 10, 2015 1 Foci of this course Understand the 3 fundamental cryptographic functions and how they are used in network security. Understand the main elements in securing
More informationChapter 9: Key Management
Chapter 9: Key Management Session and Interchange Keys Key Exchange Cryptographic Key Infrastructure Storing and Revoking Keys Digital Signatures Slide #9-1 Overview Key exchange Session vs. interchange
More informationOther Uses of Cryptography. Cryptography Goals. Basic Problem and Terminology. Other Uses of Cryptography. What Can Go Wrong? Why Do We Need a Key?
ryptography Goals Protect private communication in the public world and are shouting messages over a crowded room no one can understand what they are saying 1 Other Uses of ryptography Authentication should
More information1 Identification protocols
ISA 562: Information Security, Theory and Practice Lecture 4 1 Identification protocols Now that we know how to authenticate messages using MACs, a natural question is, how can we use MACs to prove that
More informationHOST Authentication Overview ECE 525
Authentication Overview Authentication refers to the process of verifying the identity of the communicating principals to one another Usually sub-divided into Entity authentication Authentication in real-time
More informationComputer Networks & Security 2016/2017
Computer Networks & Security 2016/2017 Network Security Protocols (10) Dr. Tanir Ozcelebi Courtesy: Jerry den Hartog Courtesy: Kurose and Ross TU/e Computer Science Security and Embedded Networked Systems
More informationEEC-682/782 Computer Networks I
EEC-682/782 Computer Networks I Lecture 25 Wenbing Zhao wenbingz@gmail.com http://academic.csuohio.edu/zhao_w/teaching/eec682.htm (Lecture nodes are based on materials supplied by Dr. Louise Moser at UCSB
More informationIssues. Separation of. Distributed system security. Security services. Security policies. Security mechanism
Module 9 - Security Issues Separation of Security policies Precise definition of which entities in the system can take what actions Security mechanism Means of enforcing that policy Distributed system
More informationCIS 6930/4930 Computer and Network Security. Topic 7. Trusted Intermediaries
CIS 6930/4930 Computer and Network Security Topic 7. Trusted Intermediaries 1 Trusted Intermediaries Problem: authentication for large networks Solution #1 Key Distribution Center (KDC) Representative
More informationElements of Security
Elements of Security Dr. Bill Young Department of Computer Sciences University of Texas at Austin Last updated: April 8, 2015 at 12:47 Slideset 7: 1 Car Talk Puzzler You have a friend in a police state
More informationCryptographic Checksums
Cryptographic Checksums Mathematical function to generate a set of k bits from a set of n bits (where k n). k is smaller then n except in unusual circumstances Example: ASCII parity bit ASCII has 7 bits;
More informationCIS 6930/4930 Computer and Network Security. Final exam review
CIS 6930/4930 Computer and Network Security Final exam review About the Test This is an open book and open note exam. You are allowed to read your textbook and notes during the exam; You may bring your
More informationFall 2010/Lecture 32 1
CS 426 (Fall 2010) Key Distribution & Agreement Fall 2010/Lecture 32 1 Outline Key agreement without t using public keys Distribution of public keys, with public key certificates Diffie-Hellman Protocol
More informationCryptology Part 1. Terminology. Basic Approaches to Cryptography. Basic Approaches to Cryptography: (1) Transposition (continued)
Cryptology Part 1 Uses of Cryptology 1. Transmission of a message with assurance that the contents will be known only by sender and recipient a) Steganography: existence of the message is hidden b) Cryptography:
More informationSession key establishment protocols
our task is to program a computer which gives answers which are subtly and maliciously wrong at the most inconvenient possible moment. -- Ross Anderson and Roger Needham, Programming Satan s computer Session
More informationCSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L
CS 3461/5461: Introduction to Computer Networking and Internet Technologies Network Security Study: 21.1 21.5 Kannan Srinivasan 11-27-2012 Security Attacks, Services and Mechanisms Security Attack: Any
More informationAuthentication. Strong Password Protocol. IT352 Network Security Najwa AlGhamdi
Authentication Strong Password Protocol 1 Strong Password Protocol Scenario : Alice uses any workstation to log to the server B, using a password to authenticate her self. Various way to do that? Use Ur
More informationSession key establishment protocols
our task is to program a computer which gives answers which are subtly and maliciously wrong at the most inconvenient possible moment. -- Ross Anderson and Roger Needham, Programming Satan s computer Session
More informationSecurity protocols and their verification. Mark Ryan University of Birmingham
Security protocols and their verification Mark Ryan University of Birmingham Contents 1. Authentication protocols (this lecture) 2. Electronic voting protocols 3. Fair exchange protocols 4. Digital cash
More informationDigital Signatures. Public-Key Signatures. Arbitrated Signatures. Digital Signatures With Encryption. Terminology. Message Authentication Code (MAC)
Message Authentication Code (MAC) Key-dependent one-way hash function Only someone with a correct key can verify the hash value Easy way to turn one-way hash function into MAC is to encrypt hash value
More informationICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification
ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification Hossen Asiful Mustafa Introduction Entity Authentication is a technique designed to let one party prove the identity of another
More informationDistributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018
Distributed Systems 25. Authentication Paul Krzyzanowski Rutgers University Fall 2018 2018 Paul Krzyzanowski 1 Authentication For a user (or process): Establish & verify identity Then decide whether to
More informationUser Authentication Protocols
User Authentication Protocols Class 5 Stallings: Ch 15 CIS-5370: 26.September.2016 1 Announcement Homework 1 is due today by end of class CIS-5370: 26.September.2016 2 User Authentication The process of
More informationCryptography and Network Security Chapter 13. Digital Signatures & Authentication Protocols
Cryptography and Network Security Chapter 13 Digital Signatures & Authentication Protocols Digital Signatures have looked at message authentication but does not address issues of lack of trust digital
More informationLecture 9a: Secure Sockets Layer (SSL) March, 2004
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York University artg@cs.nyu.edu Security Achieved by
More informationCS November 2018
Authentication Distributed Systems 25. Authentication For a user (or process): Establish & verify identity Then decide whether to allow access to resources (= authorization) Paul Krzyzanowski Rutgers University
More information8.7 Authentication Protocols
Page 1 of 11 [ Team LiB ] 8.7 Authentication Protocols Authentication is the technique by which a process verifies that its communication partner is who it is supposed to be and not an imposter. Verifying
More informationAuthentication in real world: Kerberos, SSH and SSL. Zheng Ma Apr 19, 2005
Authentication in real world: Kerberos, SSH and SSL Zheng Ma Apr 19, 2005 Where are we? After learning all the foundation of modern cryptography, we are ready to see some real world applications based
More informationCS Protocol Design. Prof. Clarkson Spring 2017
CS 5430 Protocol Design Prof. Clarkson Spring 2017 Review Cryptography: Encryption, block ciphers, block cipher modes, MACs, cryptographic hash functions, digital signatures, authenticated encryption,
More informationOverview. Cryptographic key infrastructure Certificates. May 13, 2004 ECS 235 Slide #1. Notation
Overview Key exchange Session vs. interchange keys Classical, public key methods Key generation Cryptographic key infrastructure Certificates Key storage Key escrow Key revocation Digital signatures May
More informationCS3235 Seventh set of lecture slides
CS3235 Seventh set of lecture slides Hugh Anderson National University of Singapore School of Computing October, 2007 Hugh Anderson CS3235 Seventh set of lecture slides 1 Warp 9... Outline 1 Public Key
More informationKey Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature
Key Management Digital signatures: classical and public key Classic and Public Key exchange 1 Handwritten Signature Used everyday in a letter, on a check, sign a contract A signature on a signed paper
More informationTrusted Intermediaries
AIT 682: Network and Systems Security Topic 7. Trusted Intermediaries Instructor: Dr. Kun Sun Trusted Intermediaries Problem: authentication for large networks Solution #1 Key Distribution Center (KDC)
More informationAIT 682: Network and Systems Security
AIT 682: Network and Systems Security Topic 7. Trusted Intermediaries Instructor: Dr. Kun Sun Trusted Intermediaries Problem: authentication for large networks Solution #1 Key Distribution Center (KDC)
More informationCryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology
Cryptography & Key Exchange Protocols Faculty of Computer Science & Engineering HCMC University of Technology Outline 1 Cryptography-related concepts 2 3 4 5 6 7 Key channel for symmetric cryptosystems
More informationThe Kerberos Authentication System Course Outline
The Kerberos Authentication System Course Outline Technical Underpinnings - authentication based on key sharing - Needham-Schroeder protocol - Denning and Sacco protocol Kerbeors V - Login and client-server
More informationOutline More Security Protocols CS 239 Computer Security February 4, 2004
Outline More Security Protocols CS 239 Computer Security February 4, 2004 Combining key distribution and authentication Verifying security protocols Page 1 Page 2 Combined Key Distribution and Authentication
More informationData Communication Prof.A.Pal Dept of Computer Science & Engineering Indian Institute of Technology, Kharagpur Lecture - 40 Secured Communication - II
Data Communication Prof.A.Pal Dept of Computer Science & Engineering Indian Institute of Technology, Kharagpur Lecture - 40 Secured Communication - II Hello and welcome to today's lecture on secured communication.
More informationCSC 482/582: Computer Security. Security Protocols
Security Protocols Topics 1. Basic Concepts of Cryptography 2. Security Protocols 3. Authentication Protocols 4. Key Exchange Protocols 5. Kerberos 6. Public Key Infrastructure Encryption and Decryption
More informationL7: Key Distributions. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806
L7: Key Distributions Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806 9/16/2015 CSCI 451 - Fall 2015 1 Acknowledgement Many slides are from or are
More informationKey Management and Distribution
CPE 542: CRYPTOGRAPHY & NETWORK SECURITY Chapter 10 Key Management; Other Public Key Cryptosystems Dr. Lo ai Tawalbeh Computer Engineering Department Jordan University of Science and Technology Jordan
More informationT Cryptography and Data Security
T-79.4501 Cryptography and Data Security Lecture 10: 10.1 Random number generation 10.2 Key management - Distribution of symmetric keys - Management of public keys Stallings: Ch 7.4; 7.3; 10.1 1 The Use
More informationDatasäkerhetsmetoder föreläsning 7
Datasäkerhetsmetoder föreläsning 7 Nyckelhantering Jan-Åke Larsson Cryptography A security tool, not a general solution Cryptography usually converts a communication security problem into a key management
More informationAuthentication. Overview of Authentication systems. IT352 Network Security Najwa AlGhamdi
Authentication Overview of Authentication systems 1 Approaches for Message Authentication Authentication is process of reliably verifying the identity of someone. Authentication Schemes 1. Password-based
More informationCS 161 Computer Security
Popa & Wagner Spring 2016 CS 161 Computer Security Discussion 5 Week of February 19, 2017 Question 1 Diffie Hellman key exchange (15 min) Recall that in a Diffie-Hellman key exchange, there are values
More informationComputer Security 4/12/19
Authentication Computer Security 09. Authentication Identification: who are you? Authentication: prove it Authorization: you can do it Paul Krzyzanowski Protocols such as Kerberos combine all three Rutgers
More informationCS Protocols. Prof. Clarkson Spring 2016
CS 5430 Protocols Prof. Clarkson Spring 2016 Review: Secure channel When we last left off, we were building a secure channel The channel does not reveal anything about messages except for their timing
More information22-security.txt Tue Nov 27 09:13: Notes on Security Protocols , Fall 2012 Carnegie Mellon University Randal E.
22-security.txt Tue Nov 27 09:13:37 2012 1 Notes on Security Protocols 15-440, Fall 2012 Carnegie Mellon University Randal E. Bryant References: Tannenbaum: 9.1, 9.2 (skip 9.2.3), 9.4.1 BASICS Desired
More informationComputer Security. 10. Exam 2 Review. Paul Krzyzanowski. Rutgers University. Spring 2017
Computer Security 10. Exam 2 Review Paul Krzyzanowski Rutgers University Spring 2017 March 23, 2018 CS 419 2017 Paul Krzyzanowski 1 Question 1(a) Suppose you come across some old text in the form GEPPQ
More informationIntroduction. Trusted Intermediaries. CSC/ECE 574 Computer and Network Security. Outline. CSC/ECE 574 Computer and Network Security.
Trusted Intermediaries CSC/ECE 574 Computer and Network Security Topic 7. Trusted Intermediaries Problem: authentication for large networks Solution #1 Key Distribution Center () Representative solution:
More informationOutline More Security Protocols CS 239 Computer Security February 6, 2006
Outline More Security Protocols CS 239 Computer Security February 6, 2006 Combining key distribution and authentication Verifying security protocols Page 1 Page 2 Combined Key Distribution and Authentication
More informationPassword-based authentication and key distribution protocols with perfect forward secrecy
Journal of Computer and System Sciences 72 (2006) 1002 1011 www.elsevier.com/locate/jcss Password-based authentication and key distribution protocols with perfect forward secrecy Hung-Min Sun a,, Her-Tyan
More informationProving who you are. Passwords and TLS
Proving who you are Passwords and TLS Basic, fundamental problem Client ( user ) How do you prove to someone that you are who you claim to be? Any system with access control must solve this Users and servers
More informationTest 2 Review. (b) Give one significant advantage of a nonce over a timestamp.
Test 2 Review Name Student ID number Notation: {X} Bob Apply Bob s public key to X [Y ] Bob Apply Bob s private key to Y E(P, K) Encrypt P with symmetric key K D(C, K) Decrypt C with symmetric key K h(x)
More informationOverview. Terminology. Password Storage
Class: CSG254 Network Security Team: Enigma (team 2) Kevin Kingsbury Tejas Parikh Tony Ryan Shenghan Zhang Assignment: PS3 Secure IM system Overview Our system uses a server to store the passwords, and
More informationContents Digital Signatures Digital Signature Properties Direct Digital Signatures
Contents Digital Signatures... 197 Digital Signature Properties... 198 Direct Digital Signatures... 198 199...قابلداوری Arbitrated Digital Signatures Arbitrated Digital Signature Technaiques... 200 Authentication
More informationCSC/ECE 774 Advanced Network Security
Computer Science CSC/ECE 774 Advanced Network Security Topic 2. Network Security Primitives CSC/ECE 774 Dr. Peng Ning 1 Outline Absolute basics Encryption/Decryption; Digital signatures; D-H key exchange;
More informationKey distribution and certification
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must be ensured. Problem solution: Certification Authority
More information13/10/2013. Kerberos. Key distribution and certification. The Kerberos protocol was developed at MIT in the 1980.
Key distribution and certification Kerberos In the case of public key encryption model the authenticity of the public key of each partner in the communication must be ensured. Problem solution: Certification
More informationNetwork Security. Chapter 8. MYcsvtu Notes.
Network Security Chapter 8 Network Security Some people who cause security problems and why. Cryptography Introduction Substitution ciphers Transposition ciphers One-time pads Fundamental cryptographic
More informationECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos
ECE596C: Handout #9 Authentication Using Shared Secrets Electrical and Computer Engineering, University of Arizona, Loukas Lazos Abstract. In this lecture we introduce the concept of authentication and
More informationChapter 9 Public Key Cryptography. WANG YANG
Chapter 9 Public Key Cryptography WANG YANG wyang@njnet.edu.cn Content Introduction RSA Diffie-Hellman Key Exchange Introduction Public Key Cryptography plaintext encryption ciphertext decryption plaintext
More informationLecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.
15-441 Lecture Nov. 21 st 2006 Dan Wendlandt Worms & Viruses Phishing End-host impersonation Denial-of-Service Route Hijacks Traffic modification Spyware Trojan Horse Password Cracking IP Spoofing DNS
More information