Lecture 6.2: Protocols - Authentication and Key Exchange II. CS 436/636/736 Spring Nitesh Saxena. Course Admin

Transcription

1 Lecture 6.2: Protocols - Authentication and Key II CS 436/636/736 Spring 2012 Nitesh Saxena Mid-Term Grading Course Admin Will be done over the break Scores will be posted online and graded exams distribute post-break Will the solution set too Any questions regarding the exam Perhaps we can quickly review? 2 1

2 Course Admin HW3 will be posted after the Spring break Due in days as usual 3 Outline of Today s lecture Today we try to put everything together Encryption (public-key/private-key) MACs Signing Key-Distribution Secure protocols (for secure communication) Authentication We studied it somewhat while talking about key distribution (Authenticated-) Key Designing secure protocols is hard we ll only be able to learn the basics today We ll use the board extensively today be prepared to take notes 4 2

3 MAC-based Authentication 1. A B: A, ra 2. B A: rb, HMAC K (rb, ra, A) 3. A B: HMAC K (ra, rb,b) Faster than enc-based protocols (computationally) 5 Public-key based authentication (Needham-Shroeder (NS) pk-based) Assuming public keys are distributed through CA(s) 1. A B: Enc pkb (ra, A) 2. B A: Enc pka (ra, rb) 3. A B: Enc pkb (rb) 6 3

4 Attack and fix on PK-based NS protocol Attack: Fix: 1. A B: Enc pkb (ra, A) 2. B A: Enc pka (ra, rb,b) 3. A B: Enc pkb (rb) 7 Signature-based authentication (assuming public keys are distributed through CA) A auth B A B: Hi Bob, this is Alice! B A: r (a challenge) A B: Sig SKa (r,b)(response) A auth B, B auth A(run two copies; piggyback common flows) A B: A, ra (could sign this too) B A: rb, Sig SKb (rb, ra, A) A B: Sig SKa (ra,rb,b) 8 4

5 Authenticated Key (AKE) Public-key operations are costly Why not 1. use public-key mutual authentication protocols to exchange a symmetric key 2. use this symmetric key with a symmetric encryption to secure subsequent communication 9 Security Notion for AKE Launch protocol between any pair Reveal all session key except one Try to distinguish the key of the unrevealed session from random This captures: the compromise of other sessions should not lead to the compromise of any other session 10 5

6 AKE Protocol 1. A B: A, ra, Enc PKb (K) (mustsign this too??) 2. B A: rb, Sig SKb (rb, ra, A) 3. A B: Sig SKa (ra, rb, B) 4. A and B output K as the authenticated key Such a protocol can be instantiated using RSA encryption/signing The way SSL/SSH establishes key But, generally only the server authenticates to the client, not vice versa 11 X.509: One-Way Authentication 1 message ( A->B) used to establish the identity of A and that message is from A message was intended for B integrity& originality of message A 1-A {ta,ra,b,sgndata,kub[kab]} B Ta-timestamp ra=nonce B =identity sgndata=signed with A s private key 12 6

7 X.509: Two-Way Authentication 2 messages (A->B, B->A) which also establishes in addition: the identity of B and that reply is from B that reply is intended for A integrity & originality of reply A 1-A {ta,ra,b,sgndata,kub[kab]} 2-B {tb,rb,a,sgndata,kua[kba]} B 13 X.509: Three-Way Authentication 3 messages (A->B, B->A, A->B) which enables above authentication without the need for synchronized clocks 1- A {ta,ra,b,sgndata,kub[kab]} A 2 -B {tb,rb,a,sgndata,kua[kab]} 3- A{rb} B 14 7

8 Discrete Logarithm Assumption p, q primes such that q p-1 g be the generator of Z p * g is an element of order q and generates a group G q of order q; g = g (p-1)/q x in Z q, y = g x mod p Given (p, q, g, y), it is computationally hard to compute x No polynomial time algorithm known p should be 1024-bits and q be 160-bits x becomes the private key and y becomes the public key 15 Example of DL-based system Let s construct an example KeyGen: p = 11, q = 2 or 5; let s say q = 5 2 is a generator of Z 11 * g = 2 2 = 4 x = 2; y = 4 2 mod 11 =

9 Diffie-Hellman (DH) Key 1. A B: K a = g a mod p 2. B A: K b = g b mod p 3. A outputs K ab = K b a 4. B outputs K ba = K a b Note K ab = K ba = g ab mod p 17 Security of DH key exchange No authentication of either party Secure only against a passive adversary Under the computational Diffie-Hellman assumption Given (g, g a,g b ), hard to compute g ab Not secure against an active attacker Man-in-the-middle attack 18 9

10 Authenticated DH Key 1. A B: K a = g a mod p 2. B A: Cert b, K b = g b mod p Enc Kba [Sig SKb (K b, K a )] 3. A B: Cert a, Enc Kab [Sig SKa (K a,k b )] 4. A outputs K ab = K b a 5. B outputs K ba = K a b 19 Summary Designing secure protocols is not easy Becomes harder in a concurrent setting, where there are multiple parties, executing multiple instances of the protocols simultaneously Becomes even harder as the number of parties increase; n-party or group setting Use the protocols that are well-studied and standardized While designing a protocol, consider Reflection attacks Replay attacks Eliminating any symmetry in the messages 20 10

11 HAC chapter 10 Stallings Chapter 15 Further Reading 21 11