Applied Cryptography Basic Protocols

Transcription

1 Applied Cryptography Basic Protocols Sape J. Mullender Huygens Systems Research Laboratory Universiteit Twente Enschede 1

2 Session keys It is prudent practice to use a different key for each session. This reduces the chance of compromise: There is less traffic encrypted under a single key, so there is less opportunity for cryptanalysis Session keys do not have to saved in file systems, so there is less opportunity for losing them through careless system administration. 2

3 Key Exchange Each time Alice and Bob start an information exchange, they first need to agree on a session key. First, we shall look at protocols to do this in a environment with symmetric cryptography only. Later we shall look at using public-key systems for exchanging keys. 3

4 Key Exchange under Symmetric Cryptography Trent runs a key distribution center; he shares keys with Alice and Bob. Alice and Bob trust Trent. 1. A, B 2. {K AB, B} KAT, {K AB, A} KBT 3. {K AB, A} KBT, {M} KAB 4. {M } KAB 4

5 Key Exchange under Public-Key Cryptography The Wrong Way 1. A, K A 2. B, K B 3. {M} KB 4. {M } KA 5

6 Here s Why 1a. A, K A 1b. A, K M 2a. B, K B 2b. B, K M 3. {M} KM 4. {M } KM 6

7 Man-in-the-Middle Attacks Man-in-the-middle attacks are possible when Reliance is placed on unencrypted messages Encrypted messages intended for one purpose can be used for another Messages from old runs of protocols can be reused in new ones Foiling man-in-the-middle attacks requires vigilance. 7

8 Key Exchange under Public-Key Cryptography The Right Way (one of them) 1. {B, K B } ST 2. {A, K A } ST 3. {M} KB 4. {M } KA 8

9 Interlocked Protocols In some circumstances, this can work: 1. A, K A 2. B, K B 3. 1 / 2 {M} KB 4. 1 / 2 {M } KA 5. 1 / 2 {M} KB 6. 1 / 2 {M } KA 9

10 Key Exchange with Digital Signature 1. {B, K B } ST 2. {A, K A } ST 3. {{M} KAB, {K AB } KB } SA Alice knows only Bob can read the message (privacy) Bob knows that Alice sent it (authenticity) 10

11 Authentication Key exchange is intimately related to authentication. You need to know who you re talking to under the key you re exchanging. But there are many cases where authentication is useful without key exchange. 11

12 Authentication with One-Way Functions 1. password P 2. H(P)=? E A Where E A is a stored copy of the has of her password. The host does not have to store the password itself. The idea to do this dates from the sixties and Wilkes attributes it to Needham and Guy. 12

13 Dictionary Attacks So, if H is a really good one-way function, can you still find somebody s password? The answer is probably: A large dictionary contains some 100,000 words; there are 150 million possible licence plates in the Netherlands; there are name lists containing 10,000 names for boys and girls. Trying them all takes a few months on a single PC. But finding one password in a 200-entry password file only takes days. 13

14 Add Salt to Taste By adding a random number, salt, to the password before applying the one-way function (and storing the random number in the password file), each password must be found by a full search of the whole dictionary. Preprocessing is no longer possible. 14

15 SKEY Alice chooses a random number R. The computer computes the list x 1, x 2,..., x n+1 as follows: x 1 = f (R), x i+1 = f (x i ). It prints out x 1, x 2,..., x n for Alice and stores only x n+1. When Alice logs on, she types x n. The computer checks f (x n )=? x n+1. If there is a match, the computer lets Alice in and replaces x n+1 by x n. The next time, Alice uses x n 1 as password. 15

16 Problems with passwords Passwords only work if the connection between user and computer is secure (and if the computer can be trusted). 16

17 Authentication using Public Keys The host keeps the public keys of the users. The users keep the corresponding secret key: 1. N H 2. {N H } K 1 A 3. {{N H } K 1 } K A A =? N H This protocol is overly simplistic. 17

18 A Better Protocol 1. N H 2. N A, {N H, N A } K 1 A 3. {{N H, N A } K 1 } K A A =? N H, N A 18

19 Wide-Mouthed Frog 1. A, {T A, B, K AB } KAT 2. {T T, A, K AB } KBT 3. {T B } KAB 19

20 Needham-Schroeder 1. A, B, N A 2. {N A, B, K AB, {A, K AB } KBT } KAT 3. {A, K AB } KBT 4. {N B } KAB 5. {N B 1} KAB 20

21 The Needham-Schroeder Protocol is Flawed When Bob receives message 3, he has no way of telling how fresh it is. After a year of cryptanalysis, Mallory breaks one of Alice and Bob s old keys. He can then do this: 3. {A, K AB } KBT (replay) 4. {N B } K AB 5. {N B 1} K AB 21

22 Freshness Roger Needham and Mike Schroeder discovered the flaw in their protocol themselves and it got Needham thinking. With Mike Borrows and Martín Abadí he set up a logic to reason about the correctness of authentication protocols. The BAN logic expresses initial beliefs about keys and derives from the messages sent and the freshness of the information contained in them, statements about beliefs after the run of an authentication protocol. 22