Principles of Security Part 4: Authentication protocols Sections 3 and 4

Transcription

1 Principles of Security Part 4: protocols Sections 3 and 4 Oxford Michaelmas Term 2008

2 Outline asic ideas of authentication Challenge-Response ttacks What did we learn?

3 Outline asic ideas of authentication Challenge-Response ttacks What did we learn?

4 Outline asic ideas of authentication Challenge-Response ttacks What did we learn?

5 Outline asic ideas of authentication Challenge-Response Examples ttacks Examples of impersonation ttack on (CRS0) ttack on (CRS0-nest) ttack on (CRS 0 ) ttack on (CRS 0 -nest) What did we learn?

6 Recall from Part 1: CPTCH Examples ttack on (CRS0) ttack on (CRS0-nest)

7 Man-in-the-Middle (MitM) ttack Examples ttack on (CRS0) ttack on (CRS0-nest)

8 Man-in-the-Middle (MitM) ttack Smart card relay Examples ttack on (CRS0) ttack on (CRS0-nest)... much easier with NFC phones!

9 Refining authentication to capture MitM attacks Examples ttack on (CRS0) The definition of authentication needs to be strengthened to capture not only ttack on (CRS0-nest) the challenge and the response messages, but also principals intent to respond to a challenge.

10 (CRS 0 ) authentication Here is the protocol (CRS 0 ), initiated by ob. Examples ttack on (CRS0) ttack on (CRS0-nest) to : y νy to : S y

11 (CRS 0 ) authentication Here is the protocol (CRS 0 ), initiated by ob. We proved that it correctly implements (CR). Examples ttack on (CRS0) ttack on (CRS0-nest) to : y νy to : S y

12 (CRS 0 ) authentication ut here is a Man-in-the-Middle attack on it. M Examples ttack on (CRS0) ttack on (CRS0-nest) to : y νy M to : y to M: S y to : S y

13 (CRS 0 ) authentication ut here is a Man-in-the-Middle attack on it. (CRS 0 ) does not guarantee agreement about the identities. M Examples ttack on (CRS0) ttack on (CRS0-nest) to : y νy M to : y to M: S y to : S y

14 Ping authentication in (CRS 0 ) We proved that from ob s actions νy Examples ttack on (CRS0) ttack on (CRS0-nest) y (S y)

15 Ping authentication in (CRS 0 ) We proved that from ob s actions, it follows that lice must have been on-line recently. νy Examples ttack on (CRS0) ttack on (CRS0-nest) ((y)) y S y (S y)

16 Ping authentication in (CRS 0 ) We did not prove that from ob s intent to challenge lice νy Examples ttack on (CRS0) ttack on (CRS0-nest) to : y ( to : S y)

17 Ping authentication in (CRS 0 ) We did not prove that from ob s intent to challenge lice follows lice s intent to respond to ob. νy Examples ttack on (CRS0) ttack on (CRS0-nest) ( to : y) to : y to : S y ( to : S y)

18 No agreement in (CRS 0 ) We did not prove that from ob s intent to challenge lice follows lice s intent to respond to ob. νy Examples ttack on (CRS0) ttack on (CRS0-nest) ( to : y) to : y to : S y ( to : S y)

19 Mutual authentication: (CRS 0 -nest) Here is a protocol that we proved secure, assuming that lice and ob are honest, and that they both know it. νx to : x Examples ttack on (CRS0) ttack on (CRS0-nest) to : y νy to : S (x.y) to : S (x.y)

20 Mutual authentication: (CRS 0 -nest) ut here is a what may happen if lice tries to talk to Mallory, who is not honest. νx to M: x M to : y to M: S (x.y) M to : S M (x.y) M to : x to : y to : S (x.y) to : S (x.y) νy Examples ttack on (CRS0) ttack on (CRS0-nest)

21 Moral Examples ttack on (CRS0) ttack on (CRS0-nest) To avoid impersonation, always specify the participants of the the challenge-response exchange in the protected message.

22 One-way authentication with Signature (CRS 0 ) = (CR) [ c x = x, r x = S x ] NOT νx x Examples ttack on (CRS0) ttack on (CRS0-nest) S x

23 One-way authentication with Signature (CRS) = (CR) [ c x = x, r x = S (.x) ] UT νx x Examples ttack on (CRS0) ttack on (CRS0-nest) S (.x)

24 Mutual authentication with Signatures (CRS 0 -seq) = (ISO ) NOT νx x Examples ttack on (CRS0) ttack on (CRS0-nest) y,s (x.y) νy S (x.y)

25 Mutual authentication with Signatures (CRS-seq) UT νx x Examples ttack on (CRS0) ttack on (CRS0-nest) y,s (.x.y) νy S (.x.y)

26 Mutual authentication with Signatures (CRS 0 -nest) NOT νx x Examples ttack on (CRS0) ttack on (CRS0-nest) νy y S (x.y) S (x.y)

27 Mutual authentication with Signatures (CRS-nest) UT νx x Examples ttack on (CRS0) ttack on (CRS0-nest) νy y S (.x.y) S (.x.y)

28 One-way authentication with Encryptions (CREE 0 ) NOT νx E x Examples ttack on (CRS0) ttack on (CRS0-nest) E x

29 One-way authentication with Encryptions (CREE) UT Examples ttack on (CRS0) ttack on (CRS0-nest) νx E (.x) E x

30 Mutual authentication with Encryptions (CREE 0 -seq) NOT νx E x Examples ttack on (CRS0) ttack on (CRS0-nest) E (x.y) νy E y

31 Mutual authentication with Encryptions (NSPK)... and NOT Examples ttack on (CRS0) ttack on (CRS0-nest) νx E (.x) E (x.y) νy E y

32 Mutual authentication with Encryptions (CREE-seq) = (NSL) UT Examples ttack on (CRS0) ttack on (CRS0-nest) νx E (.x) E (.x.y) νy E y

33 Discussion The definitions of one-way authentication in terms of the challenge-response pattern, Examples ttack on (CRS0) ttack on (CRS0-nest) mutual authentication in terms of the matching conversation records still allow confusion about who is talking to whom.

34 Strong one-way authentication Intended authentication νx Examples ttack on (CRS0) ttack on (CRS0-nest) to : c x ( to : r x)

35 Strong one-way authentication Intended authentication νx Examples ttack on (CRS0) ttack on (CRS0-nest) to : c x ( to : c x) ( to : r x) to : r x

36 Strong mutual authentication greement Strong mutual authentication requires not only matching conversation records: all principals records of the content and the order Examples ttack on (CRS0) ttack on (CRS0-nest) of all messages must coincide, but also matching views of the intent: all principals views of the purported sources and the intended destinations of all messages should also coincide.

37 Strong authentication with signatures Proposition The protocols (CRS), (CRS-seq) and (CRS-nest) all realize strong authentication. Examples ttack on (CRS0) ttack on (CRS0-nest)

38 Strong authentication with signatures Proposition The protocols (CRS), (CRS-seq) and (CRS-nest) all realize strong authentication. Examples ttack on (CRS0) ttack on (CRS0-nest) Homework Prove this.

39 Outline asic ideas of authentication Challenge-Response ttacks What did we learn? Key setup again More on Servers Conclusion ack to key setup More on Servers What has been achieved?

40 Secure key generation Can we now generate keys securely... νx to :g x Key setup again More on Servers Conclusion νy to :g y k =(g y ) x k =(g x ) y

41 Secure key generation... while avoiding the MitM-attacks? M νx to :g x to :gỹ ν x νỹ to :g x νy to :g y Key setup again More on Servers Conclusion k =g xỹ g xỹ g xy k =g xy

42 Secure key generation Yes! Take (CRS-seq) for authentication... νx Key setup again x More on Servers Conclusion νy y, S (.x.y) S (.x.y)

43 Secure key generation... and plug in (DHK) for key agreement. νx g x Key setup again More on Servers Conclusion νy g y, S (. g x.g y ) S (. g x.g y ) k =(g y ) x k =(g x ) y

44 Secure key generation The signatures S are bound to their owners by certificates C. νx g x Key setup again More on Servers Conclusion νy g y, C, S (. g x.g y ) C, S (. g x.g y ) k =(g y ) x k =(g x ) y where C X = S S( X.V X)

45 ootstrapping authentication Symmetric Key Servers using symmetric keys is piped S through an Server S. Key setup again More on Servers Conclusion

46 ootstrapping authentication Symmetric Key Servers using symmetric keys is piped S through an Server S. (Recall Yahalom.) symmetric key Server is often called a Key Distribution Center (KDC). Key setup again More on Servers Conclusion

47 ootstrapping authentication Symmetric Key Servers using symmetric keys is piped S through an Server S. (Recall Yahalom.) symmetric key Server is often called a Key Distribution Center (KDC). Key setup again More on Servers Conclusion Public Key Servers using public keys goes directly, but an Server S must certify public keys in advance, and issue C and C. public key Server is often called a Certifying uthority (C).

48 KDCs and Cs Similarities n Server S shares a key with every principal, in its range. is bootstrapped over S and S. Key setup again More on Servers Conclusion

49 KDCs and Cs Similarities n Server S shares a key with every principal, in its range. is bootstrapped over S and S. Key setup again More on Servers Conclusion Differences KDC directly participates in every authentication session between every and. C authenticates each in advance, and issues a certificate C, which can be used at any time, for any session with any.

50 KDCs and Cs Disadvantages of KDC can impersonate everyone to everyone single point of failure, performance bottleneck must be on-line, otherwise the network halts Key setup again More on Servers Conclusion

51 KDCs and Cs Disadvantages of KDC can impersonate everyone to everyone single point of failure, performance bottleneck must be on-line, otherwise the network halts Key setup again More on Servers Conclusion Disadvantage of C revocation C distributes Certificate Revocation Lists (CRL) every certificate should be checked against CRL often omitted

52 Secure key generation dding key confirmation and identity protection to νx g x Key setup again More on Servers Conclusion νy g y, C, S (. g x.g y ) C, S (. g x.g y ) k =(g y ) x k =(g x ) y

53 Secure key generation... we get in the realm of practical protocols: νx g x Key setup again More on Servers Conclusion g y, E (C, S (. g x.g y )) νy E (C, S (. g x.g y )) k =(g y ) x k =(g x ) y where E (u) = E ( k, u )

54 Secure key generation Problem: ob exposed to DoS attack! νx g x Key setup again More on Servers Conclusion g y, E (C, S (. g x.g y )) νy E (C, S (. g x.g y )) k =(g y ) x k =(g x ) y where E (u) = E ( k, u )

55 Secure key generation Solution: Expand (CRS-nest) by (DHK) νx g x νy g y Key setup again More on Servers Conclusion C, S (. g x.g y ) k =(g y ) x C, S (. g x.g y ) k =(g x ) y

56 Secure key generation... just like before to νx g x νy g y Key setup again More on Servers Conclusion E (C, S (. g x.g y )) k =(g y ) x E (C, S (. g x.g y )) k =(g x ) y

57 Secure key generation If ob is a busy C, he can use cookies H xy... νx Key setup again g x g y, H xy νy More on Servers Conclusion g x, g y, H xy, E (C, S (. g x.g y )) k =(g y ) x E (C, S (. g x.g y )) k =(g x ) y where H xy = H (g x.g y )

58 Secure key generation... and needn t keep the state at all! νx g x g y, H xy νy Key setup again More on Servers Conclusion g x, g y, H xy, E (C, S (. g x.g y )) k =(g y ) x E (C, S (. g x.g y )) k =(g x ) y where H xy = H (g x.g y )

59 Secure key generation The core of IKEv2 (and JFK), the basic IPSec protocol: νx g x νy g y, H xy, C Key setup again More on Servers Conclusion g x, g y, H xy, E (C, S (C. g x.g y )) k =(g y ) x E (S (g x.g y )) k =(g x ) y where H xy = H (g x.g y )

60 Secure key generation Homework What are the security consequences of replacing S (. g x.g y ) by S ( C. g x.g y) in the third message in the preceding protocol? Key setup again More on Servers Conclusion Is this protocol open for a MitM-attack because of S (g x.g y ) instead of S (. g x.g y ) in the final message? What kind of attacks would become possible if the encryptions by E were removed?

61 Summary: Questions of authentication Why is it that it is easy to establish a secure channel, but it is hard to know with whom? Key setup again More on Servers Conclusion

62 Summary: Questions of authentication Why is it that it is easy to establish a secure channel, but it is hard to know with whom? Key setup again More on Servers Conclusion Why is it that crypto systems are broken once in a while, but authentications fail every day?

63 Old answer: is a deep problem From local observations to global conclusions through reflection Key setup again More on Servers Conclusion René to himself: "I think, therefore I exist."

64 New answer: is a technical problem From local observations to global conclusions by cryptography Key setup again More on Servers Conclusion lice to ob: "Noone else could decrypt this, therefore you exist."

65 in Cyberspace ssumptions the network is controlled by the dversary Key setup again More on Servers Conclusion "Satan s computer" the dversary is computationally limited the same algorithmics like everyone else

66 ut computational limitations are relative to the available computational resources Traveling Salesman Problem unfeasible for standard computers NP-hard for Turing machines Key setup again More on Servers Conclusion

67 ut computational limitations are relative to the available computational resources Traveling Salesman Problem easy for the ants in your yard they use pheromones as a computational resource Key setup again More on Servers Conclusion pheromone evaporates at a steady rate new paths are generated at random each ant leaves a pheromone trail behind it old paths are marked and amplified by pheromone the stronger the marking, the more attractive the path shorter paths become more attractive shorter time for evaporation

68 eyond Cyberspace What if computation is not limited to cyberspace? Key setup again More on Servers Conclusion

69 eyond Cyberspace What if computation is not limited to cyberspace? What if lice, ob, Mallory and Satan, besides computers, also use smart cards, mobile phones, fly planes, shoot guns and even talk to each other? Key setup again More on Servers Conclusion

70 eyond Cyberspace What if computation is not limited to cyberspace? What if lice, ob, Mallory and Satan, besides computers, also use smart cards, mobile phones, fly planes, shoot guns and even talk to each other? Key setup again More on Servers Conclusion They do all that in pervasive computation. Next part.