Simple Security Protocols

Similar documents
Ideal Security Protocol. Identify Friend or Foe (IFF) MIG in the Middle 4/2/2012

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

Security Handshake Pitfalls

Outline More Security Protocols CS 239 Computer Security February 4, 2004

Security Handshake Pitfalls

Security Handshake Pitfalls

Outline More Security Protocols CS 239 Computer Security February 6, 2006

Authentication Handshakes

CSC 474/574 Information Systems Security

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Outline. More Security Protocols CS 239 Security for System Software April 22, Needham-Schroeder Key Exchange

Outline. Login w/ Shared Secret: Variant 1. Login With Shared Secret: Variant 2. Login Only Authentication (One Way) Mutual Authentication

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

CS November 2018

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Other Uses of Cryptography. Cryptography Goals. Basic Problem and Terminology. Other Uses of Cryptography. What Can Go Wrong? Why Do We Need a Key?

Security Handshake Pitfalls

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

CIS 6930/4930 Computer and Network Security. Topic 6.2 Authentication Protocols

6. Security Handshake Pitfalls Contents

Elements of Security

Network Security CHAPTER 31. Solutions to Review Questions and Exercises. Review Questions

CPSC 467b: Cryptography and Computer Security

Spring 2010: CS419 Computer Security

Real-time protocol. Chapter 16: Real-Time Communication Security

Computer Security. 08. Authentication. Paul Krzyzanowski. Rutgers University. Spring 2018

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

Security and Anonymity

10/1/2015. Authentication. Outline. Authentication. Authentication Mechanisms. Authentication Mechanisms. Authentication Mechanisms

CS 161 Computer Security

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

L13. Reviews. Rocky K. C. Chang, April 10, 2015

CS 395T. Formal Model for Secure Key Exchange

Cryptographic Checksums

CSCI 667: Concepts of Computer Security. Lecture 9. Prof. Adwait Nadkarni

Computer Security 3/20/18

Strong Password Protocols

User Authentication Protocols

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

CS 161 Computer Security

1 Identification protocols

Cryptographic Protocols 1

Identification Schemes

CS 494/594 Computer and Network Security

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Password. authentication through passwords

Study Guide for the Final Exam

Session key establishment protocols

Session key establishment protocols

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

CPSC 467b: Cryptography and Computer Security

ECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

Computer Security 4/12/19

Data Security and Privacy. Topic 14: Authentication and Key Establishment

CS 161 Computer Security

User Authentication Protocols Week 7

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Module: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

CIS 4360 Secure Computer Systems Applied Cryptography

SEEM4540 Open Systems for E-Commerce Lecture 03 Internet Security

Exercises with solutions, Set 3

Chapter 9: Key Management

Authentication. Luke Anderson. 28 th April University Of Sydney.

COMPUTER & NETWORK SECURITY

More Attacks on Cryptography 3/12/2010

Lecture 7 - Applied Cryptography

Authentication. Murat Kantarcioglu

Securing Internet Communication: TLS

CSE 127: Computer Security Cryptography. Kirill Levchenko

CS 161 Computer Security. Week of September 11, 2017: Cryptography I

Dawn Song

Authentication. Strong Password Protocol. IT352 Network Security Najwa AlGhamdi

Information Security CS 526

ECEN 5022 Cryptography

CS Protocol Design. Prof. Clarkson Spring 2017

Applied Cryptography and Computer Security CSE 664 Spring 2017

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1

Proofs for Key Establishment Protocols

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

Authentication Part IV NOTE: Part IV includes all of Part III!

Lecture 6 - Cryptography

SIP and VoIP What is SIP? What s a Control Channel? History of Signaling Channels

Persistent key, value storage

CT30A8800 Secured communications

CSC 482/582: Computer Security. Security Protocols

Cryptography III Want to make a billion dollars? Just factor this one number!

===============================================================================

A SECURE PASSWORD-BASED REMOTE USER AUTHENTICATION SCHEME WITHOUT SMART CARDS

From Coulouris, Dollimore and Kindberg Distributed Systems: Concepts and Design. Edition 4 Pearson Education 2005

Applied Cryptography Basic Protocols

Computational Security, Stream and Block Cipher Functions

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Notes for Lecture 24

Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena

Crypto-systems all around us ATM machines Remote logins using SSH Web browsers (https invokes Secure Socket Layer (SSL))


Remote E-Voting System

Introduction to Modern Cryptography. Benny Chor

Authentication in real world: Kerberos, SSH and SSL. Zheng Ma Apr 19, 2005

Transcription:

What is a Protocol? Monday, December 4, 2012 eading: S&M Ch. 9; Schneier Chs. 2-4; Kaufman, Perlman, & Speciner, Ch. 11; Anderson, Ch 3 CS342 Computer Security Department of Computer Science Wellesley College Schneier s definition: A protocol is a series of steps, involving two or more parties, designed to accomplish a task. Computational examples: o low-level network protocols (UDP, TCP, IP) o higher-level communication protocols (HTTP, SMTP, SSL, FTP) o authentication (SSH, Kerberos) o public key infrastructure (PKI) o electronic voting o electronic money 24-2 Simple Noncomputational Protocol Examples Exchanging names when meeting for the first time: (holding out hand to ): Hi, I m. (shakes s hand): I m. Pleased to meet you. Conversation ensues. Establishing a phone conversation: dials s phone number. (answering ringing phone): Hello. : May I please speak to? : This is. Who s calling? : This is. Probabilistic Protocol for Pot-Luck Dinner is planning a pot-luck dinner party with a large group of friends. When is it? Who brings what? (Don t want only desserts!) o Many protocols for this problem involve a large number of messages. o Here s a simple protocol in which broadcasts a single message to all friends and need no responses: I m holding a pot-luck dinner party at my house on Sat. Oct. 16 at 7pm. Please come if you can make it. In order determine what kind of dish to bring, please flip two coins: if both are heads, bring an appetizer or salad; if both are tails, bring a dessert; otherwise (one head, one tail), bring a main dish. 24-3 24-4

Bicycle Transfer Protocol and both work at Wellesley, but are never on campus at the same time. wants to transfer her bicycle to at Wellesley. How can she accomplish this in the following scenarios? o Both and have keyed bicycle locks. o has a keyed bicycle lock. o Neither nor has a bicycle lock. Computational Protocol Building Blocks Symmetric-key encryption/decryption with key K: D(K, E(K, M)) = M One-way hash function H (can be combined with key for signature). Public-key cryptography: D(Kpriv, E(Kpub, M)) = M Some public key systems (e.g. SA) even have commutativity, a la two-lock bicycle transfer protocol: D(Kpriv1, E(Kpub2, E(Kpub1, M))) = E(Kpub2, M) if the two key pairs share the same n (bad idea!) Public-key signatures: E(Kpub, D(Kpriv, M)) = M (not all PK systems, but SA has) Timestamps Sequence Numbers Nonces 24-5 24-6 Timestamps, Sequence Numbers, and Nonces Protocol messages often contain numbers that distinguish messages or serve to foil various attacks: o Timestamps: Include the current time in a message to foil replay attacks. equires participants have synchronized clocks, which can be challenging (maintained by other protocols). Subject to clock-resetting attacks. Protocol Example: Electronic Coin Flip and are in separate locations but want to flip a coin fairly. I.e., both of and win/lose a flip with 50% probability. How can they do this? Note: In this protocol, we aren t worried about Eve or. o Sequence Numbers: Include a sequence number to foil replay attacks. Problem: attacker can determine next number from previous. o Nonces = values used once (e.g., for unique IDs, challenges) Typically a large random number, since hard for attacker to guess. Timestamps and sequence numbers are often inappropriate, since easy for attackers to guess. 24-7 24-8

Coin Flipping with Simple Encryption Coin Flipping with Simple Encryption: Discussion 1. sends nonce to. 2. generates random bit b and random key K and sends E(K, <, b>) to. 3. guesses that s bit is b and sends this to. (He wins if b = b and loses otherwise.) 4. now knows whether she won or lost; she sends K to. 5. calculates D(K, E(K, <, b>)) = <, b> and now knows whether he won or lost. E(K, <,b>) b K o commits to b before guesses. She cannot change her mind after guesses. o does not know b choice before he guesses, but can verify b after he guesses. o We assume both and play by the rules. If not: If loses, she can: 1. claim sent her the wrong bit b 2. refuse to send him K or send him the wrong K, so he can t verify he won. If loses, he can: 1. claim he sent the winning bit instead; or E(K, <,b>) b K 2. claim that the he finds in the last step is not the one he sent. 24-9 24-10 Coin Flipping with Hashing 1. chooses nonce and sends H() to. 2. guesses whether is even or odd, and sends guess (b) to. 3. now knows whether she won or lost; she sends to. 4. verifies H() = h and now knows whether he won or lost. Notes: This depends on and H() having uncorrelated even/oddness. Again, commits to a choice () before guesses; she cannot change her mind after guesses. Again, does not know s choice before he guesses, but can verify her choice after the guess. Again, both and have to play by the rules. H() b 24-11 Zero-Knowledge Protocol Idea: Convince someone that you know a secret without telling them what you know. Afterwards, they are convinced you know the secret, but they have no knowledge of what the secret actually is! 24-12

Zero-Knowledge Protocol: Ali Baba s Cave* Passage in cave splits into two-dead end paths. Thief claims to know magic words to get from one dead end to other. Test this probabilistically: 1. Thief randomly chooses path and enters it. (You don t see which.) 2. You flip coin, and ask him to come out of path determined by flip. If after a large number of trials he always succeeds, you are convinced he knows magic without learning the magic. * Quisquater and Guillou, How to Explain Zero-Knowledge Protocols to your Children, http://pages.cs.wisc.edu/~mkowalcz/628.pdf 24-13 Zero-Knowledge Protocol in Practice Idea: convince someone that you have the solution to a computationally intractable problem without telling them the solution. E.g. Graph Isomorphism: claims to know isomorphism π between two large graphs G 1 and G 2. Easy to verify, but extremely hard to find. convinces she knows π without revealing it as follows: 1. generate a new graph G 3 that s isomorphic to G 1 and G 2. π G 1 G 2 2. Ask to pick which of π 1 and π 2 he wants to see. π 1 π 2 3. repeats this many times (generating a new graph each time). G 3 is convinced she knows π without gaining any knowledge about π itself. 24-14 One-Way vs. Two-Way (Mutual) Authentication One-Way Authentication: Plaintext Passwords One-Way Authentication In one-way authentication needs to be convinced that a conversation request from is really from. ( is often a remote server to which is logging in from a local computer.) < I m, password > Two-Way (Mutual) Authentication Both and need to be convinced about the authenticity of the other party. Attackers In both of these authentication situations, we do need to worry about Eve and, who might try to impersonate or. sends password in the clear to. FTP, telnet, and HTTP passwords actually work this way!. Attacks? Game Plan We ll first study one-way authentication and associated attacks. Then we ll move on to mutual authentication. 24-15 24-16

One-Way Authentication: Hashed Passwords Password Interception < I m, H(password) > password < I m, H(password) > sends hash of password to, who compares it to his database of hashed passwords for all users. Benefits? Attacks? 24-17 24-18 Man-in-the-Middle /Chess Grandmaster Attacks eplay Attack Many password interception techniques are examples of man-in-the-middle (MITM) attacks: impersonates to and to. message to message to message to message to < I m, H(password) > Eve < I m, H(password) > Eve can record encrypted password and later replay it. This is also known as the chess grandmaster attack: can play remote chess against grandmasters (white) and (black) at the same time and will win one game or draw both. How to foil replay attack? 24-19 24-20

Foiling eplay Attack One-Way Authentication: Encrypted Passwords o Timestamps/Sequence Numbers/Nonces but, as we ll see in more detail later, these have problems: timestamps require synchronization and might be guessable consecutive sequence numbers are obviously related < I m, E(K AB, password) > nonces must be remembered by. o Password Aging bad social properties; people try to circumvent. sends password encrypted with key K AB she shares with. how frequent to be effective deterrent? Note: E(K AB, password) is often written {password} K AB o One-time Passwords (OTP): has a sequence of passwords and uses each only once (they re nonreusable!). Benefits? how to generate password sequence? o how to synchronize and? Challenge-esponse: responds to new challenge from on each login. Attacks? 24-21 12-22 OTP: Tokens (e.g., SA SecurID) SA SecurID token displays number determined from seed and time. User enters displayed number and PIN/password (two factors!), and info sent to central server (which also knows seed and time). OTP: Iterated Hashing (e.g., S/Key) One-way hash function H is used to generate sequence of n passwords from seed p 0 ; passwords p i = H(p i-1 ) are used in order p n-1, p n-2, Problems? Hardware tokens Software tokens Initialization p 0 < I m, n, H n (p 0 )> <n, H n (p 0 )> Authentication I m i p 0 P i-1 = H i-1 (p 0 ) <i, h i = H i (p 0 )> checks that h i = H(h i-1 ) I believe you re <i-1, h i-1 = H i-1 (p 0 )> 24-23 Also known as Lamport s hash after its inventor, Leslie Lamport. 12-24

Man-in-the-Middle (Small n) Attack on S/Key If can impersonate, she can present a challenge k i and then impersonate for (k i)+1 steps. One-Way Authentication: Challenge-esponse responds to nonce challenge from by encrypting or hashing with shared key K AB. p 0 I m k P k-1 = H k-1 (p 0 ) I m i k P i-1 = H i-k (p k-1 ) = H i-1 (p 0 ) <i, H i (p 0 )> I m E(K AB, ) or H( <K AB, > ) I believe you re <i-1, H i-1 (p 0 )> 24-25 24-26 MITM Attack on Challenge-esponse I m E(K AB, ) or H( <K AB, > ) I m E(K AB, ) or H( <K AB, > ) Other Challenge-esponse Attacks Violated assumptions can lead to many attacks: Impersonation: Nothing authenticates, so can impersonate. Known Plaintext: Plaintext can help Eve figure out key K AB. Chosen Plaintext: As, can get to encrypt any M. MIG-in-the-Middle attack. described by Anderson: SAAF radar in Namibia E(K SAAF, ) Cuban MIG over Namibia E(K SAAF, ) Cuban radar in Angola E(K SAAF, ) SAAF jet over Angola 24-27 Session Hijacking: hijacks conversation after initial handshake. Server Database Attack: may be able to find K AB (and thereby impersonate ) by attacking s database. Predictable Nonce: If nonce is a sequence number or coarse-grained timestamp, can replace by a later, obtain E(K AB, ) from, and use this to impersonate for later nonce. (This is impractical for fine-grained timestamp.) Moral: Cryptography not enough by itself must consider system in which it s used. (adia Perlman s talk on How to Build an Insecure System out of Perfectly Good Cryptography.) 24-28

Encrypted Challenge-esponse One-Message Encrypted Challenge-esponse I m E(K AB, ) More efficient, but: < I m, E(K AB, timestamp) > can t impersonate for unreplayable nonce (e.g., includes fine-grained timestamp) since she doesn t know K AB (unless she s MITM). If includes fine-grained timestamp, is authenticated too! Must use encryption rather than hash. Why? Solves chosen plaintext problem. As with regular challenge-response, this suffers from MITM attack, known-plaintext attack, session hijacking, server database attack, and predictable nonce attack. Predictable nonce attack even worse here, since needn t be involved for to impersonate her by guessing later. 24-29 is no longer authenticated if timestamp is course-grained, Eve can replay message to impersonate (unless keeps records of timestamps already used) if convinces to set his clock back, can replay old messages. 24-30 One-Way Authentication with Public Key Crypto Foiling Predictable Nonce & Known Plaintext I m E(K Apub, ) I m D(K Apriv, ) I m E(K AB, ) E(K AB +1, ) No shared secrets in s database, so addresses server database attack. Still suffers from impersonation, man-in-the-middle, session hijacking, known plaintext, and predictable nonce attacks. Nonce is always sent encrypted, so it s safe to use a predictable one. If nonce is unpredictable, foils known-plaintext attack. By impersonating, can get to encrypt or sign arbitrary messages! How to address this? How can these protocls be modified so that is authenticated? 24-31 24-32

Mutual Authentication Mutual Authentication as Two One-Ways o Many one-way authentication problems due to unauthenticated. o In practice, mutual authentication very important: are you ordering from Amazon or an Amazon impersonator? are you giving your personal info to Citibank or a phisher? are you sending embarrassing messages to friend or blackmailer? Mutual 1 Mutual 2 <, 1 > <E(K AB, 1 ), 2 > or <H(<K AB, 1 >), 2 > E(K AB, 2 ) or H(<K AB, 2 >) <, E(K AB, 1 ) > < 1, E(K AB, 2 )> 2 Vulnerable to same attacks for one-way protocols except impersonation. 24-33 24-34 Attempted Optimization of Mutual 1 Asymmetry Foils eplay Attack <, 2 > <, 1, E(K AB, 2 )> E(K AB, 1 ) <, 2 > < 1, E(K AB, 2 )> E(K AB +1, 1 ) Chosen Plaintext Attack eflection Attack <, M> <, 1, E(K AB, M)> Moral: Beware changing or designing protocols! Best to stick with well-studied ones. <, 2 > (session 1) <, 1, E(K AB, 2 )> (session 1) <, 1 > (session 2) E(K AB, 1 ) (session 1) <, 3, E(K AB, 1 )> (session 2) <, 2 0> < 1 1, E(K AB, 2 0)> E(K AB, 1 1) 24-35 24-36

ISO SC27 Mutual Authentication Protocol (S&M) < I m, 1 > <E(K AB, 1 ), E(K AB, 2 )> 2 Attacks? 24-37

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback