CT30A8800 Secured communications

Transcription

1 CT30A8800 Secured communications Pekka Jäppinen October 31, 2007 Pekka Jäppinen, Lappeenranta University of Technology: October 31, 2007

2 Authentication Three basic models 1. Something you know Password, PIN 2. Something you are Physical features, involuntary behavior, signatures (physical) Something you are Magnetic cards, keys, password generators Pekka Jäppinen, Lappeenranta University of Technology: October 31, /21

3 Authentication protocols Goals A can prove to be A B cannot use A s proof to impersonate A C cannot impersonate A Features Reciprocity of authentication Both communication partners authenticate themselves vs. only one side is authenticated Efficiency Calculation (How many operations are needed) Pekka Jäppinen, Lappeenranta University of Technology: October 31, /21

4 Communication (How many messages) Third party Required / not required Realtime use (eg. automatic key exchange device) Level of trust (Stores secret/public key) Nature of proof Verifiable proof zeroknowledge proof Secret storing Handling of key material Pekka Jäppinen, Lappeenranta University of Technology: October 31, /21

5 Password authentication Traditional password authentication User gives password Computer compares the given password to the one stored in database Weakness: password storage Stored read protected in the service (weak solution) Anyone who can have access to the password file can read passwords Storing encrypted password Password is encrypted or hash value is calculated from it and the result is stored in database. When user wants to be authenticated the same function is used and the result is com- Pekka Jäppinen, Lappeenranta University of Technology: October 31, /21

6 pared to the result stored in database. Pekka Jäppinen, Lappeenranta University of Technology: October 31, /21

7 Attacks against password input Sniffing Eavesdropping, van eck Social engineering Troijans Attacks against encrypted password storing Brute-force attack Calculate all possibilities and find the match Brute-force can be slowed down in two ways 1. Slowing down the calculating Run the encryption algorithm several times Slows down the password checking n-times, where n is the amount of used rounds. Brute-force slows also down n-times Pekka Jäppinen, Lappeenranta University of Technology: October 31, /21

8 2. Using seed. Add seed in the password before calculating hash. WHen user gives password, hash is calculated with all the possible seeds. Requires 2 Seed additional calculations, when password validity is checked. Brute-forceattack with n-bit password requires averagw of 2 n+seed 2 calculations i.e. 2 seed times more calculations than without seed Password is more secured, but authentication is slower Passphrases are usually easier to remember and hold enough entropy to complicate brute-force attack Pekka Jäppinen, Lappeenranta University of Technology: October 31, /21

9 One time passwords password lists. The list may base to one-way function SKEY A provides random number, R Computer calculates x 0 = f (R),x 1 = f ( f (R)),...,x 101 = f ( f... f (R)...). x 101 is stored at the computer while user is sent the list x i, i = When user wants to authenticate he provides value x 100 and removes the value from list (draws cross over). Computer calculates f (x 100 ) and compares the result to the stored value. If values match user is authenticated and x 100 is stored at computes SKEY security bases on the one-wayness of function f i.e. one cannot calculate x i 1 from x i Pekka Jäppinen, Lappeenranta University of Technology: October 31, /21

10 Challenge-response authentication Authentication is proved by stating the knowledge about the secret without revealing it. With Asymmetric cryptography: 1. A device generates random bits and sends them to A 2. A encrypts the bits using private key and returns the results with her name 3. device fetches the public key of A from database and decrypts the message 4. If the decypted message matches to original generated one, A is authenticated. Pros: A does not have to send any secrets over unsecure line Connection doesn t require secured connection Weaknesses Pekka Jäppinen, Lappeenranta University of Technology: October 31, /21

11 Asymmetric private key has to be stored on somewhere. Only one side is authenticated. Encrypting random bitstream is a risk ->selected plaintext attack. Encrypting with secret key == digital signature General model for safe challenge-response protocol 1. A makes some calucalations based on random numbers and private key. The results is sent to B. 2. B sends some random number to A 3. A makes some calculations based on all the random numbers and private key. The result is sent to B 4. B makes calculations based on A:s public key and the results A sent. The calculations confirm that A knows the private key corresponding to the known public key of A. Pekka Jäppinen, Lappeenranta University of Technology: October 31, /21

12 zero-knowledge proof of identity We want to proof we know a secret without giving up any information about the secret itself The proof cannot be shown later on to other parties. Cut and choose protocol Cutting the bread: A divides the bread and B chooses which piece he takes. Magic cave example 1. V is on the cave entrance from where he cannot see to first crossing 2. P enters the cave and goes either to left or right tunnel from the crossing. Left and right tunnels are connected deeper in the cave but in between them, there is a magic door which can be only opened with magic word. 3. When P has walked to the door, V enter the cave and walks to the crossing Pekka Jäppinen, Lappeenranta University of Technology: October 31, /21

13 4. V shouts in to the cave and tells P to come out from either left or right tunnel 5. P follows the orders and use the magic word if necessary 6. The procedure is repeated n-times, to quarantee P knows the magicword Chance for making right quess when choosing the tunnels is 50% (After 10 rounds the chance is 1 = ) Pekka Jäppinen, Lappeenranta University of Technology: October 31, /21

14 Fiat-Shamir algorithm Initial phase (done before hand): 1. T Chooses and publishes value n = pq, but keeps primes p and q as a secret. 2. A chooses secret s, which is prime number between values 1 s n 1 and counts v = s 2 mod n. Then A registers v to T as a public key (v is number between 0 (n 1)) Fiat-shamir t-rounds 1. A chooses random number r, 1 r n 1 and counts x = r 2 mod n, which is sent to B 2. B chooses challenge bit e, which is either 0 or 1 and sends the challenge to A 3. A calculates and sends to B y = r s e mod n (if e = 0 y = r) 4. B rejects answer if y = 0 (to disallow r = 0 trick) but otherwise accepts the answer if y 2 x v e mod n. Challenge e = 1 verifies that A knows secret s. Challeneg e = 0 Pekka Jäppinen, Lappeenranta University of Technology: October 31, /21

15 Secured Communications: Key exchange Schneier:Applied Cryptography Chapter 5.2 verifies that A cannot cheat by choosing suitable x. if A tries to cheat and sends x = r 2 /v he can provide correct answer to challenge e = 1 by sending y = r, (y 2 = r2 v v1 mod n = r 2 ) To challenge e = 0 A should be able to calculate r mod n At best the A can answer correctly to one of the questions, thus possibility for cheating is 50% per round B cannot determine anything about secret s, since B do not know the random number r. Only thing B knows about s is v = s 2 mod n Attacks against zero knowledge proof of identity Chessmaster problem: A works as man in the middle Mafia trick: B and C co-operate against A. Exact timing can protect from these attacks. Fraud with multiple identities Pekka Jäppinen, Lappeenranta University of Technology: October 31, /21

16 Secured Communications: Key exchange Schneier:Applied Cryptography Chapter 5.2 Person generates more than one public key To prevent this fraud, a method for quaranteeing person has just one identity (one public key for authentication) is required Passport renting Private key is compromised i.e. given to friend or criminal In challenge-response authentication the actual identity is not validated just the fact that the person authenticated knows the secret (private key) Biometric authentication is need to quarantee the identity More about challenge-response at seminars (perhaps) Pekka Jäppinen, Lappeenranta University of Technology: October 31, /21

17 Secured Communications: Key exchange Schneier:Applied Cryptography Chapter 5.2 Token based authentication Token can be used for authentication in challege-response model i.e. the token handles thee response to the challenge. For example: Finnish electronic identity card (FINEID) contains the information about the user, goverment certified public keys for encyption and authentication and corresponding private keys. Token based challenge-response. 1. Token contains secret key and corresponding public key is at server. Token either encrypts or decrypts challenge and sends response. 2. The challenge is fed into the token, which then caluculates the response 3. Token contains time dependent function that is known also by the server. i.e. the authentication is based on time Reliability is based on the fact that token cannot be reverse en- Pekka Jäppinen, Lappeenranta University of Technology: October 31, /21

18 Secured Communications: Key exchange Schneier:Applied Cryptography Chapter 5.2 gineered. Token verifies that the given token is used, not the identity of the token user. It is possible to use biometrics or passwords along with token to provide more secure solutions. Biometrics Biometrics can be used to authenticate user locally Biometrics can be used to protect the asymmetric cyrptography private key stored in token or computer. Actual use of biometric reader has to be verified or similar risks exists as for passwords. Authentication and key exchange. Lot of different types of protocols: Kerberos, radius, wide-mouth Pekka Jäppinen, Lappeenranta University of Technology: October 31, /21

19 Secured Communications: Key exchange Schneier:Applied Cryptography Chapter 5.2 frog, yahalom... Kerberos (based on needham-shroeder protocol) The goal is to provide access to different types of services and machines with single authentication. Three different actions 1. Authentication service, AS 2. Ticket Granting Service, TGS 3. Authenticating to service Before anything else Alice has created a longterm key A K for the system that is stored by Trent (KDC). A K is hash value of users password. Authentication service: 1. Alice logs in to her workstation 2. Workstation connects to Trent and requests session key for Alice. Request contains the identity of Alice I A and a timestamp T which are encrypted with Alice s long term key K A : E KA (I A,T ) Pekka Jäppinen, Lappeenranta University of Technology: October 31, /21

20 Secured Communications: Key exchange Schneier:Applied Cryptography Chapter Trent responds with Ticket Granting Ticket (TGT) that contains identity of Alicen I A, ticket validity time L, identity of Trent and key Alice s key K A encrypted with Trent s key K T : E KT (I A,L,I T,K A ). Trent also sends new session key K A T, that is used for communications between Trent and Alice encrypted with Alice s key K A Ticket Granting Service (Alice wants to make connection to Bob) 1. Alice sends TGT to Trent along with Bob s identity encrypted with session key K A T 2. Trent generates timestamp T, validity time L, secret key K A B and encrypts these along with Alice s identity I A using the key Trent has shared with Bob. E KB (T,L,K A B,I A ). This is a ticket for Alice to use Bob s service. Trent also sends to Alice the generated information and bob s identity encrypteed with Alice s longterm key. E KA (T,L,K A B,I B ). Trent sends these to Alice. 3. Alice decrypts the information and stores it. Pekka Jäppinen, Lappeenranta University of Technology: October 31, /21

21 Secured Communications: Key exchange Schneier:Applied Cryptography Chapter 5.2 Authentication to service 1. Alice encrypts message containing her own identity I A and timestamp T with key K A B : E KA B (I A,T ). Alice sends the encrypted message to Bob along with the ticket gained from Trent E KB (T,L,K A B,I A ). 2. Bob decrypts the message and verifies Alices Identity. If everything matches Bob lets Alice to use his service. Things learned from authentication systems development and evaluation When system is optimized important aspects are easily forgotten and security is weakened It is easy to get lost when doing optimization. For example, if you don t have authentic time, you can t use one. When choosing the used protocol it is important to understand the environment where protocol is used. What do wwe want to optimize? Pekka Jäppinen, Lappeenranta University of Technology: October 31, /21

22 Secured Communications: Key exchange Schneier:Applied Cryptography Chapter 5.2 Usually it is better to use good and well known model instead of creating your own. More about authentication: Richard E. Smith: Authentication, from passwords to public keys Pekka Jäppinen, Lappeenranta University of Technology: October 31, /21