What is a Protocol? Monday, December 4, 2012 eading: S&M Ch. 9; Schneier Chs. 2-4; Kaufman, Perlman, & Speciner, Ch. 11; Anderson, Ch 3 CS342 Computer Security Department of Computer Science Wellesley College Schneier s definition: A protocol is a series of steps, involving two or more parties, designed to accomplish a task. Computational examples: o low-level network protocols (UDP, TCP, IP) o higher-level communication protocols (HTTP, SMTP, SSL, FTP) o authentication (SSH, Kerberos) o public key infrastructure (PKI) o electronic voting o electronic money 24-2 Simple Noncomputational Protocol Examples Exchanging names when meeting for the first time: (holding out hand to ): Hi, I m. (shakes s hand): I m. Pleased to meet you. Conversation ensues. Establishing a phone conversation: dials s phone number. (answering ringing phone): Hello. : May I please speak to? : This is. Who s calling? : This is. Probabilistic Protocol for Pot-Luck Dinner is planning a pot-luck dinner party with a large group of friends. When is it? Who brings what? (Don t want only desserts!) o Many protocols for this problem involve a large number of messages. o Here s a simple protocol in which broadcasts a single message to all friends and need no responses: I m holding a pot-luck dinner party at my house on Sat. Oct. 16 at 7pm. Please come if you can make it. In order determine what kind of dish to bring, please flip two coins: if both are heads, bring an appetizer or salad; if both are tails, bring a dessert; otherwise (one head, one tail), bring a main dish. 24-3 24-4
Bicycle Transfer Protocol and both work at Wellesley, but are never on campus at the same time. wants to transfer her bicycle to at Wellesley. How can she accomplish this in the following scenarios? o Both and have keyed bicycle locks. o has a keyed bicycle lock. o Neither nor has a bicycle lock. Computational Protocol Building Blocks Symmetric-key encryption/decryption with key K: D(K, E(K, M)) = M One-way hash function H (can be combined with key for signature). Public-key cryptography: D(Kpriv, E(Kpub, M)) = M Some public key systems (e.g. SA) even have commutativity, a la two-lock bicycle transfer protocol: D(Kpriv1, E(Kpub2, E(Kpub1, M))) = E(Kpub2, M) if the two key pairs share the same n (bad idea!) Public-key signatures: E(Kpub, D(Kpriv, M)) = M (not all PK systems, but SA has) Timestamps Sequence Numbers Nonces 24-5 24-6 Timestamps, Sequence Numbers, and Nonces Protocol messages often contain numbers that distinguish messages or serve to foil various attacks: o Timestamps: Include the current time in a message to foil replay attacks. equires participants have synchronized clocks, which can be challenging (maintained by other protocols). Subject to clock-resetting attacks. Protocol Example: Electronic Coin Flip and are in separate locations but want to flip a coin fairly. I.e., both of and win/lose a flip with 50% probability. How can they do this? Note: In this protocol, we aren t worried about Eve or. o Sequence Numbers: Include a sequence number to foil replay attacks. Problem: attacker can determine next number from previous. o Nonces = values used once (e.g., for unique IDs, challenges) Typically a large random number, since hard for attacker to guess. Timestamps and sequence numbers are often inappropriate, since easy for attackers to guess. 24-7 24-8
Coin Flipping with Simple Encryption Coin Flipping with Simple Encryption: Discussion 1. sends nonce to. 2. generates random bit b and random key K and sends E(K, <, b>) to. 3. guesses that s bit is b and sends this to. (He wins if b = b and loses otherwise.) 4. now knows whether she won or lost; she sends K to. 5. calculates D(K, E(K, <, b>)) = <, b> and now knows whether he won or lost. E(K, <,b>) b K o commits to b before guesses. She cannot change her mind after guesses. o does not know b choice before he guesses, but can verify b after he guesses. o We assume both and play by the rules. If not: If loses, she can: 1. claim sent her the wrong bit b 2. refuse to send him K or send him the wrong K, so he can t verify he won. If loses, he can: 1. claim he sent the winning bit instead; or E(K, <,b>) b K 2. claim that the he finds in the last step is not the one he sent. 24-9 24-10 Coin Flipping with Hashing 1. chooses nonce and sends H() to. 2. guesses whether is even or odd, and sends guess (b) to. 3. now knows whether she won or lost; she sends to. 4. verifies H() = h and now knows whether he won or lost. Notes: This depends on and H() having uncorrelated even/oddness. Again, commits to a choice () before guesses; she cannot change her mind after guesses. Again, does not know s choice before he guesses, but can verify her choice after the guess. Again, both and have to play by the rules. H() b 24-11 Zero-Knowledge Protocol Idea: Convince someone that you know a secret without telling them what you know. Afterwards, they are convinced you know the secret, but they have no knowledge of what the secret actually is! 24-12
Zero-Knowledge Protocol: Ali Baba s Cave* Passage in cave splits into two-dead end paths. Thief claims to know magic words to get from one dead end to other. Test this probabilistically: 1. Thief randomly chooses path and enters it. (You don t see which.) 2. You flip coin, and ask him to come out of path determined by flip. If after a large number of trials he always succeeds, you are convinced he knows magic without learning the magic. * Quisquater and Guillou, How to Explain Zero-Knowledge Protocols to your Children, http://pages.cs.wisc.edu/~mkowalcz/628.pdf 24-13 Zero-Knowledge Protocol in Practice Idea: convince someone that you have the solution to a computationally intractable problem without telling them the solution. E.g. Graph Isomorphism: claims to know isomorphism π between two large graphs G 1 and G 2. Easy to verify, but extremely hard to find. convinces she knows π without revealing it as follows: 1. generate a new graph G 3 that s isomorphic to G 1 and G 2. π G 1 G 2 2. Ask to pick which of π 1 and π 2 he wants to see. π 1 π 2 3. repeats this many times (generating a new graph each time). G 3 is convinced she knows π without gaining any knowledge about π itself. 24-14 One-Way vs. Two-Way (Mutual) Authentication One-Way Authentication: Plaintext Passwords One-Way Authentication In one-way authentication needs to be convinced that a conversation request from is really from. ( is often a remote server to which is logging in from a local computer.) < I m, password > Two-Way (Mutual) Authentication Both and need to be convinced about the authenticity of the other party. Attackers In both of these authentication situations, we do need to worry about Eve and, who might try to impersonate or. sends password in the clear to. FTP, telnet, and HTTP passwords actually work this way!. Attacks? Game Plan We ll first study one-way authentication and associated attacks. Then we ll move on to mutual authentication. 24-15 24-16
One-Way Authentication: Hashed Passwords Password Interception < I m, H(password) > password < I m, H(password) > sends hash of password to, who compares it to his database of hashed passwords for all users. Benefits? Attacks? 24-17 24-18 Man-in-the-Middle /Chess Grandmaster Attacks eplay Attack Many password interception techniques are examples of man-in-the-middle (MITM) attacks: impersonates to and to. message to message to message to message to < I m, H(password) > Eve < I m, H(password) > Eve can record encrypted password and later replay it. This is also known as the chess grandmaster attack: can play remote chess against grandmasters (white) and (black) at the same time and will win one game or draw both. How to foil replay attack? 24-19 24-20
Foiling eplay Attack One-Way Authentication: Encrypted Passwords o Timestamps/Sequence Numbers/Nonces but, as we ll see in more detail later, these have problems: timestamps require synchronization and might be guessable consecutive sequence numbers are obviously related < I m, E(K AB, password) > nonces must be remembered by. o Password Aging bad social properties; people try to circumvent. sends password encrypted with key K AB she shares with. how frequent to be effective deterrent? Note: E(K AB, password) is often written {password} K AB o One-time Passwords (OTP): has a sequence of passwords and uses each only once (they re nonreusable!). Benefits? how to generate password sequence? o how to synchronize and? Challenge-esponse: responds to new challenge from on each login. Attacks? 24-21 12-22 OTP: Tokens (e.g., SA SecurID) SA SecurID token displays number determined from seed and time. User enters displayed number and PIN/password (two factors!), and info sent to central server (which also knows seed and time). OTP: Iterated Hashing (e.g., S/Key) One-way hash function H is used to generate sequence of n passwords from seed p 0 ; passwords p i = H(p i-1 ) are used in order p n-1, p n-2, Problems? Hardware tokens Software tokens Initialization p 0 < I m, n, H n (p 0 )> <n, H n (p 0 )> Authentication I m i p 0 P i-1 = H i-1 (p 0 ) <i, h i = H i (p 0 )> checks that h i = H(h i-1 ) I believe you re <i-1, h i-1 = H i-1 (p 0 )> 24-23 Also known as Lamport s hash after its inventor, Leslie Lamport. 12-24
Man-in-the-Middle (Small n) Attack on S/Key If can impersonate, she can present a challenge k i and then impersonate for (k i)+1 steps. One-Way Authentication: Challenge-esponse responds to nonce challenge from by encrypting or hashing with shared key K AB. p 0 I m k P k-1 = H k-1 (p 0 ) I m i k P i-1 = H i-k (p k-1 ) = H i-1 (p 0 ) <i, H i (p 0 )> I m E(K AB, ) or H( <K AB, > ) I believe you re <i-1, H i-1 (p 0 )> 24-25 24-26 MITM Attack on Challenge-esponse I m E(K AB, ) or H( <K AB, > ) I m E(K AB, ) or H( <K AB, > ) Other Challenge-esponse Attacks Violated assumptions can lead to many attacks: Impersonation: Nothing authenticates, so can impersonate. Known Plaintext: Plaintext can help Eve figure out key K AB. Chosen Plaintext: As, can get to encrypt any M. MIG-in-the-Middle attack. described by Anderson: SAAF radar in Namibia E(K SAAF, ) Cuban MIG over Namibia E(K SAAF, ) Cuban radar in Angola E(K SAAF, ) SAAF jet over Angola 24-27 Session Hijacking: hijacks conversation after initial handshake. Server Database Attack: may be able to find K AB (and thereby impersonate ) by attacking s database. Predictable Nonce: If nonce is a sequence number or coarse-grained timestamp, can replace by a later, obtain E(K AB, ) from, and use this to impersonate for later nonce. (This is impractical for fine-grained timestamp.) Moral: Cryptography not enough by itself must consider system in which it s used. (adia Perlman s talk on How to Build an Insecure System out of Perfectly Good Cryptography.) 24-28
Encrypted Challenge-esponse One-Message Encrypted Challenge-esponse I m E(K AB, ) More efficient, but: < I m, E(K AB, timestamp) > can t impersonate for unreplayable nonce (e.g., includes fine-grained timestamp) since she doesn t know K AB (unless she s MITM). If includes fine-grained timestamp, is authenticated too! Must use encryption rather than hash. Why? Solves chosen plaintext problem. As with regular challenge-response, this suffers from MITM attack, known-plaintext attack, session hijacking, server database attack, and predictable nonce attack. Predictable nonce attack even worse here, since needn t be involved for to impersonate her by guessing later. 24-29 is no longer authenticated if timestamp is course-grained, Eve can replay message to impersonate (unless keeps records of timestamps already used) if convinces to set his clock back, can replay old messages. 24-30 One-Way Authentication with Public Key Crypto Foiling Predictable Nonce & Known Plaintext I m E(K Apub, ) I m D(K Apriv, ) I m E(K AB, ) E(K AB +1, ) No shared secrets in s database, so addresses server database attack. Still suffers from impersonation, man-in-the-middle, session hijacking, known plaintext, and predictable nonce attacks. Nonce is always sent encrypted, so it s safe to use a predictable one. If nonce is unpredictable, foils known-plaintext attack. By impersonating, can get to encrypt or sign arbitrary messages! How to address this? How can these protocls be modified so that is authenticated? 24-31 24-32
Mutual Authentication Mutual Authentication as Two One-Ways o Many one-way authentication problems due to unauthenticated. o In practice, mutual authentication very important: are you ordering from Amazon or an Amazon impersonator? are you giving your personal info to Citibank or a phisher? are you sending embarrassing messages to friend or blackmailer? Mutual 1 Mutual 2 <, 1 > <E(K AB, 1 ), 2 > or <H(<K AB, 1 >), 2 > E(K AB, 2 ) or H(<K AB, 2 >) <, E(K AB, 1 ) > < 1, E(K AB, 2 )> 2 Vulnerable to same attacks for one-way protocols except impersonation. 24-33 24-34 Attempted Optimization of Mutual 1 Asymmetry Foils eplay Attack <, 2 > <, 1, E(K AB, 2 )> E(K AB, 1 ) <, 2 > < 1, E(K AB, 2 )> E(K AB +1, 1 ) Chosen Plaintext Attack eflection Attack <, M> <, 1, E(K AB, M)> Moral: Beware changing or designing protocols! Best to stick with well-studied ones. <, 2 > (session 1) <, 1, E(K AB, 2 )> (session 1) <, 1 > (session 2) E(K AB, 1 ) (session 1) <, 3, E(K AB, 1 )> (session 2) <, 2 0> < 1 1, E(K AB, 2 0)> E(K AB, 1 1) 24-35 24-36
ISO SC27 Mutual Authentication Protocol (S&M) < I m, 1 > <E(K AB, 1 ), E(K AB, 2 )> 2 Attacks? 24-37