6. Security Handshake Pitfalls Contents

Transcription

1 Contents 1 / Introduction 6.2 Log-in Only 6.3 Mutual Authentication 6.4 Integrity/Encryption of Data 6.5 Mediated Authentication (with KDC) 6.6 Bellovin-Merrit 6.7 Network Log-in and Password Guessing 6.8 Nonce-Types 6.1 Introduction 2 / 45 During the handshake phase communication parameters are negotiated and initial information are exchanged. Some of these information are secret (e.g. the password), some are not (e.g. the user names). Initialization Phase (Handshake) Communication (Secure) In Chapter 5 examples of security handshakes were discussed. Even minor deviations from secure protocols may produce security holes. 1

2 6.1 Introduction 3 / 45 To cope with different types of threats individual protocols have different strengths and weaknesses. Some threats are more likely in some situations. Availability of resources may differ: Computational power Specialized hardware Humans and computers may behave differently. Protocols themselves may be flawed. The aim of this chapter: To describe some typical protocols and evaluate their respective performance, i.e. Number of messages needed, processing power required, compactness of messages. 6.2 Login Only 4 / 45 Many protocols were designed for environments where eavesdropping was not a concern. Authentication in such protocols consist of: 1. sends her name and password to. 2. verifies the name and password, and then communication commences, without any further attention to security. Authentication Communication 1. Name, Password 2. Check Name and Password! A very common enhancement to such a protocol is to replace the transmission of the cleartext password with a cryptographic challenge/response. 2

3 6.2 Login Only / Shared Secret 5 / 45 I m a challenge R K AB {R} This would be a big improvement over cleartext passwords. An eavesdropper cannot impersonate based on overhearing the exchange, since next time there will be a different challenge. However, there are some weaknesses to this protocol: Authentication is not mutual. If this is the entire protocol, then Trudy can hijack the conversation after the initial exchange. An eavesdropper could mount an off-line password-guessing attack. Someone who has access to s database can impersonate. 6.2 Login Only / Shared Secret 6 / 45 A minor variation I m K AB {R} R This protocol has only minor security differences from the previous one: This protocol requires reversible cryptography, for example a secret key cryptographic algorithm. If R is a recognizable quantity, Trudy can mount a password-guessing attack without eavesdropping by merely sending the message I am and obtaining K AB {R}. 3

4 6.2 Login Only / Shared Secret 7 / 45 Another variation of the original protocol: I m, K AB {timestamp} This modification requires and to have synchronized clocks. The properties of this modification include: It can be added very easily to a protocol designed for sending cleartext passwords, since is does not add any additional messages. The protocol is now more efficient. The server does not have to keep any transient status information about. Someone eavesdropping can use s K AB {timestamp} to impersonate (albeit only within a small time interval). Another potential security pitfall occurs if there are multiple servers for which uses the same secret K AB : an eavesdropper who acts quickly can use s encrypted timestamp field, and impersonate on a different server. 6.2 Login Only / Shared Secret 8 / 45 Requirenents and disadvantages of the discussed protocols: They require a secret key cryptography algorithm, and therefore shared secret keys. Trudy can impersonate if she can read s database. Theses weaknesses can be avoided if the protocol is based on public key technology. 4

5 6.2 Login Only / One-Way Public Key 9 / 45 [R] means that signs R, i.e. transforms R using her private key. I m R [R] The above protocol is based on a public key and similar to the first protocol. verifies s signature [R] using her public key, and accepts the login if the result matches R. The advantage of this protocol: Reading s database at is no longer a potential security-threat, but itmust be protected from unauthorized modification. If you can impersonate s network address you can trick into signing something (wait for to try log in and then give her your quantity). 6.2 Login Only / One-Way Public Key 10 / 45 {R} means that encrypts R with s public key. I m {R} R Properties of this protocol: Requires a reversible public key algorithm. If you can impersonate s network address you can trick into decrypting something (wait for to try log in and sned the encrypted message). Solution: A message should have a structure so that it cannot be mistaken for another type. See Public-Key Cryptography Standard (PKCS). 5

6 6.2 Login Only / Lamport s Hash 11 / 45 Lamport s Hash: Interesting one-time password scheme. It allows to authenticate in a way that neither eavesdropping on an authentication exchange nor reading s database enables someone to impersonate. No need for public key cryptography. Requirements: remembers a password, is a human. (the server) has a database; for each user it stores: username, n, decremented each time the user authenticates herself, hash n (Password), i.e. hash(hash(...(hash(password))...))) 6.2 Login Only / Lamport s Hash 12 / 45, Password s Workstation x n =hash n (Password), n Database x n =hash n (Password), n Initialization of a password: chooses a password. The workstation of chooses the number n and computes x 1 =hash(password), x 2 =hash(x 1 ),..., x n =hash(x n-1 )=hash n (Password) and sends it to together with n. 6

7 6.2 Login Only / Lamport s Hash 13 / 45, Password s Workstation n x=hash n-1 (Password) knows <n,hash n (Password)> compares hash(x) to hash n (Password); if equal, replaces <n, hash n (Password)> with <n-1,x> Authentication of a user: enters her username and password. Her workstation sends the name to which returns n. The workstation computes hash n-1 (Password) and sends the result to. takes the received value and hashes it once, and compares it with its database. In case of a match considers the response valid, replaces the stored quantity with the received quantity, and replaces n by n Login Only / Lamport s Hash 14 / 45 Setting up a new password: If n = 1 needs to set her password again. In many situations it suffices to choose a new password, compute hash n (new Password), and transmit hash n (new Password) and n to. An enhancement is to add a salt value to the password (like in the UNIX- Password environment), with the same advantages. Another advantage of salt is that will not need to change her password if n = 1. Properties: It is similar to Public-Key schemes in that s database at is not security sensitive. User can only log-in a finite number of times before having to re-install the password at the server. No mutual authentication. The small n attack. 7

8 6.2 Login Only / Lamport s Hash - The small n attack 15 / 45 The small n attack is the worst weakness of Lamport s Hash. An intruder Trudy, who is able to impersonate s network address, waits for s log-in. When attempts to log into, Trudy returns a small value for n, say 50. When responds with hash 50 (Password) Trudy has enough information to impersonate for some time, assuming that the actual value of n at is greater than Login Only / Lamport s Hash - The small n attack 16 / 45 Two Solutions: Human and Paper environment: When <n, hash n (Password)> is installed at the server all values of hash i (Password) for i<n are computed, encoded into a typeable string, printed on paper, and given to. When she logs in, she uses the string at the top of the page, crosses that value, and uses the next value the next time. Workstation environment: s workstation displays n to the human(!). If remembers approximately what n should be she can at least do a rough probability check on n. 8

9 6.3 Mutual Authentication 17 / 45 I m R 1 K AB {R 1 } R 2 K AB {R 2 } Mutual authentication means that both communication partners are able to identify each other. An example for a simple protocol for mutual authentication is based on shared secrets. 6.3 Mutual Authentication 18 / 45 The previous protocol is inefficient (it needs 5 messages). Improvement: reduce the number of messages to three by putting more than one item of information into each message. I m, R 2 R 1,K AB {R 2 } K AB {R 1 } Protocol 6.3 This version of the protocol has a security pitfall known as reflection attack. 9

10 6.3 Mutual Authentication / Refleciton Attack 19 / 45 Reflection attack: Trudy starts Protocol 6.3, but when she receives the challenge from, she cannot proceed further, because she cannot encrypt R 1. Trudy I m, R 2 R 1,K AB {R 2 } Trudy has made encrypt R 2. At this point Trudy opens a second session to and uses R 1 as the challenge. Trudy I m, R 1 R 3,K AB {R 1 } Trudy cannot continue this session because she cannot encrypt R 3, but she knows K AB {R 1 }, so she can complete the first session. 6.3 Mutual Authentication / Refleciton Attack 20 / 45 Two counter-measures against the Reflection attack: Both are based on the principle don t have and do exactly the same thing. 1 Different-keys: the key used to authenticate should be different from the key used to authenticate. For example: s key might be -K AB or K AB +1 or K AB +F0F0F0F0F0F0F0F Different-challenges: the initiator s challenge must be different from the one of the responder. For example, use R as challenge. 10

11 6.3 Mutual Authentication / Password Guessing 21 / 45 Another security weakness of Protocol 6.3 is that Trudy can mount an off-line password-guessing attack without needing to eavesdrop. Trudy has to send a message to claiming to be. will obligingly return the encrypted value. Then Trudy has the pair <R, K AB {R}> which she can use to check password guesses. This weakness can fixed by adding another message to Protocol 6.1. I m R 1 K AB {R 1 }, R 2 K AB {R 2 } With this protocol Trudy is unable to obtain quantities for an off-line guessing attack. 6.3 Mutual Authentication / Public Keys 22 / 45 I m, {R 2 } B R 2,{R 1 } A R 1 Mutual authentication can also be done with public key technology, assuming that and know each other s public key. Problems: How does know s public key? How could s workstation obtain s private key when a password is all knows? 11

12 6.3 Mutual Authentication / Timestamps 23 / 45 Trudy I m, K AB {timestamp} K AB {timestamp+1} Mutual authentication can be reduced to two messages by using timestamps instead of random numbers for challenges. It is easy to add to existing protocols, since it does not add any additional messages. must send another timestamp as does. Kerberos V4 uses this scheme. 6.4 Integrity/Encryption for Data 24 / 45 After the initial authentication and have to: add integrity checks to the data or encrypt the data. establish a shared, secret, per-conversation key, called session key, to be used for integrity protection and encryption. The authentication exchange should be enhanced so that both and will share a session key. It is important that an eavesdropper is not able to figure out the session key is. After establishing a session key, the workstation can forget the user s password. 12

13 6.4 Integrity/Encryption for Data / Shared Secret 25 / 45 and share a secret key K AB. The Authentication is like in the previous protocol. In case of mutual authentication there are two of each Rs, R 1 and R 2. I m R 1 K AB {R 1 } R 2 K AB {R 2 } There ís sufficient information in this protocol for and to establish a shared session key at this point. For example, they can use (K AB +1){R}. In general: Take the shared secret K AB and modify it in some way, then encrypt the challenge R using the modified K AB as the key, and use the result as the session key. 6.4 Integrity/Encryption for Data / Two-Way Public Key 26 / 45 There are several methods to establish session keys with public keys: 1 chooses a random number R, encrypst it with s public key, and sends {R} B to attached to one of the messages in the authentication exchange. 1 An intruder could hijack the conversation by picking his own R, encrypting it with s public key, and sending it to. 2 can additionally sign the result. In this case, she sends [{R} B ] A to. first has to verify s signature before decrypting R. 2 Trudy could record the entire conversation between and. If she can later take over she will be able to decrypt the conversation. 3 This is like 2, but picks R 1 and R 2. sends {R 1 } B to. sends {R 2 } A to. The session key will R 1 R 2. An intruder is not able to learn R 1 and R 2 only by overtaking or. 4 and can do a Diffie-Hellman key establishment exchange, where every partner signs the quantity he is sending. 13

14 6.4 Integrity/Encryption for Data / One-Way Public Key 27 / 45 In some cases only one of the parties in the conversation has a public/private key pair, e.g., who needs to prove her identity to a server : 1 could choose a random number R, encrypt it with s public key, send {R} A to, and R could be the session key. 1 If Trudy records the conversation and later takes over she can decrypt the conversation. 2 and could do a Diffie-Hellman exchange, where signs her quantity. 6.4 Integrity/Encryption for Data / Lamport s Hash 28 / 45 With Lamport s Hash neither side has a public key, and they do not have a shared secret key. Nevertheless, there are several possibilities to establish a shared session key: 1 They can first do the authentication handshake, and then a Diffie-Hellman exchange to establish a session key. 1 An intruder could hijack the conversation after the initial authentication and before the Diffie-Hellman exchange. 2 They can do first a Diffie-Hellman exchange, and then do the authentication handshake as part of a conversation protected with the Diffie-Hellman key. 2 An intruder could do a bucket-brigade, establishing a separate Diffie-Hellman key with both and. 14

15 6.5 Mediated Authentication 29 / 45 wants K A {use K AB for } KDC invents key K AB K B {use K AB for } The Key Distribution Center (KDC) has a database holding keys for all users. Any user registered with the KDC can securely communicate with it. The user and the KDC can authenticate each other and encrypt their communication because they each know the key (see figure). Problems with this protocol: The KDC does not know whether it was really who wanted to talk to. If immediately sent a message to based on the new shared key, it would be possible that s message arrives first, in which case would not know how to decrypt it. 6.5 Mediated Authentication 30 / 45 wants K A {use K AB for } ticket to = K B {use K AB for } KDC invents key K AB I am, ticket = K B {use K AB for } KDC operation in practice (improvement of the previous protocol): The KDC gives the information it would have sent to (Kerberos calls this encrypted information a ticket ). The ticket holds information that will allow to access. 15

16 6.5 Mediated Authentication / Needham-Schroeder 31 / 45 The Needham-Schroeder protocol is a classic KDC-arbitrated authentication protocol. Kerberos and many other protocols are based on the Needham -Schroeder protocol. Nonce refers to a number that is used only once. A nonce could be a sequence number or a large random number. Discussion of the protocol: Message 1: informs the KDC that she wants talk to. The nonce N 1 is used to prove that is really talking to the KDC. Message 2: The KDC securely transmitts the key K AB to, which it has generated for and to share. The String makes it impossible for an intruder to tamper with s request. Along with the encrypted key K AB and s name, the KDC also sends a ticket to. 6.5 Mediated Authentication / Needham-Schroeder 32 / 45 N 1, wants K A {N 1,, K AB, ticket to } where ticket to = K B {K AB, } ticket, K AB {N 2 } K AB {N 2-1, N 3 } KDC invents key K AB K AB {N 3-1} Message 3: sends a challenge (N 2 ) to, encrypted with K AB, along with the ticket. knows that only someone who knows s key can decrypt the ticket and obtain the shared key K AB. Message 4: can prove that he knows K AB if he can find N 2. Also in message 4 sends a challenge (N 3 ) to, encrypted with K AB. Message 5: proves she knows K AB. 16

17 6.5 Mediated Authentication / Expanded Needham-Schroeder 33 / 45 I want to talk you K B {N B } N 1, wants, K B {N B } K A {N 1,, K AB, ticket to } where ticket to = K B {K AB,, N B } ticket, K AB {N 2 } K AB {N 2-1, N 3 } K AB {N 3-1} KDC invents key K AB, extracts N B The expanded Needham-Schroeder fixes a security hole of the original protocol. If an intruder finds out s key he can claim to be and obtain from the KDC a shared key with, and a ticket to,. The problem with the original protocol is that the ticket to reamains valid even if changes her key. 6.5 Mediated Authentication / Otway-Rees 34 / 45 The Otway-Rees protocol is an improvement: It solves the ticket invalidation problem. It does mutual authentication in 5 messages. Discussion of the protocol: Message 1: generated two nonces. N C ist sent in the clear to. N A is encrypted by and cannot interpret it. N C,,, K A {N A, N C,, } KDC invents key K AB, extracts N B K A {N A, N C,, }, K B {N B, N C,, } N C, K A {N A, K AB }, K B {N B, K AB } K A {N A, K AB } K AB {anything recognizable} 17

18 6.5 Mediated Authentication / Otway-Rees 35 / 45 Message 2: forwards s encrypted message, along with an encrypted message which includes his own nonce N B. The KDC makes sure that the common nonce N C is the same in both encrypted messages. If not, the KDC will reject the message. Message 3: The KDC gives a message to forward to. This message proves that the KDC and are who they claim to be. Message 4: forwards this message to. Message 5: Communication starts when both parties have got the session key K AB. Problems: The only authentication of in the protocol is done by the KDC, which verifyies that the nonce N C in the message encrypted with K B is the same as the one in the message encrypted with K A. 6.6 Bellovin-Merrit 36 / 45 Most of the protocols discussed have the following properties: User s key could be derived from a password. Thus, there is the danger that an intruder captures some quantity for an off-line password-guessing attack. Examples: I m An intruder learns <R, K AB {R}> pairs. a challenge R K AB {R} The intruder learns K AB {timestamp} information. I m, K AB {timestamp} Bellovin-Merrit designed two protocols to prevent off-line password guessing. 18

19 6.6 Bellovin-Merrit / First Scheme 37 / 45 Bellovin-Merrit s first scheme: The basic idea is that and do a Diffie-Hellman exchange, but encrypt the values they exchange. The Diffie-Hellman key is K = g RA RB mod p. Subsequently, they do a standard mutual authentication exchange proving each other that they know K. K AB {g RA mod p} K AB {g RB mod p} K{R 1 0} R 1, K{R 2 1} R Bellovin-Merrit / First Scheme 38 / 45 Why can an eavesdropper obtain no information in this case? No way to do a password-guessing attack based on K AB {g R mod p}. An intruder has to guess a password, convert it into a key, and then use that key to decrypt the messages. The intruder could not verify that he really got g RA mod p, since it would be indistinguishable from a random number. On messages 3-5 there is also no way to do a password-guessing attack as they are based on a key that has nothing to do with the user s password. Why is it necessary to encrypt the Diffie-Hellman exchange? An intruder could gain information for a password-guessing attack by impersonating either or. Why was this second scheme developed? The first scheme requires to know the user s password. The second scheme requires only to store a hash of the user s password. 19

20 6.6 Bellovin-Merrit / Second Scheme 39 / 45 K AB {g RA mod p} K AB {g RB mod p}, R K{R} K{ s password{ s private key}} knows K AB =hash(password A ), password A (private key A ) [R] A Bellovin-Merrit s second scheme: In message 1 and 2, and do a Diffie-Hellman exchange encrypted with a hash of s password to establish a shared key. Since s private key is encrypted with her password, the information in s database will not be sufficient for someone to learn s private key and impersonate to. In message 3, proves that she know K. In message 4, transmits the encrypted private key, also encrypted with K. In message 5, proves that she is really. verifies her signature on R using her public key. 6.7 Network Login and Password Guessing 40 / 45 How to turn the user s low-quality secret into a high-quality secret? The high-quality secret is encrypted with s password and stored at some location B. s workstation A needs to retrieve this information from B and then decrypt it using s password. 1 A sends Give me s encrypted secret to B, who returns it to A. This is typically done if s private key, which is encrypted with s password, is stored in the directory service. A Give me s encrypted secret password A {high-quality secret A } B Database password A {high-quality secret A } 20

21 6.7 Network Login and Password Guessing 41 / 45 2 Before B is willing to transmit s encrypted high-quality secret it asks A to prove its knowledge of s password by sending e.g. a hash of the password. Thus no longer allows an active attacker to obtain quantities. A s encrypted secret, hash(password A ) password A {high-quality secret A } B Database password A {high-quality secret A } 3 As in 2, but encrypt the exchange between B and A by using a key established on the fly. 4 As in 2, but encrypt the exchange by making A use a secret or public key for B. 5 Use the first messages of Bellovin-Merrit to establish a secret session key between A and B, an then do 1 or Nonce-Types 42 / 45 A nonce is a quantity which any given user of a protocol uses only once. Many protocols deploy nonces, and there are different types with different sorts of properties. It is possible that nonces with wrong properties introduce security weaknesses. Types of nonces include: Random number Sequence number Timestamp Next we will discuss some examples of the importance of nonce types. 21

22 6.8 Nonce-Types 43 / 45 I m K AB {R} R In the above protocol the unpredictability of the challenge R is important. Assume is using sequence numbers. When attempts to log in, encrypts the next sequence number and transmits it to. An intruder observing the communication sees the return value of R from. If the intruder knows that is using sequence numbers he can claim to be, get an undecipherable pile of bits from, and returns R+1. The attack will be successful! 6.8 Nonce-Types 44 / 45 I m R K AB {R} A variation of the previous protocol? shall again use sequence numbers and the intruder is observing the communication. Therefore, he sees the value of R but he needs to encrypt the next sequence number to attack successfully. If the intruder can impersonate s networks address, he can wait for s attempts to authenticate herself. Then the intruder sends the next sequence number to, who returns this number encrypted. The intruder can now use this number for an attack. This is similar to the bucket brigade attack. 22

23 6.8 Nonce-Types 45 / 45 I m K AB {R} (K AB +1){R} A secure protocol: In the above protocol it is possible to use a predictable nonce for R without threatening the security of the protocol. Even if the intruder can predict R he cannot predict the value sent by or the appropriate response from. 23