CSCI 667: Concepts of Computer Security. Lecture 9. Prof. Adwait Nadkarni

Similar documents
CSC 474/574 Information Systems Security

Authentication Handshakes

CIS 6930/4930 Computer and Network Security. Topic 6.2 Authentication Protocols

Security Handshake Pitfalls

CSE Computer Security

6. Security Handshake Pitfalls Contents

Outline. Login w/ Shared Secret: Variant 1. Login With Shared Secret: Variant 2. Login Only Authentication (One Way) Mutual Authentication

Security Handshake Pitfalls

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

CSE543 - Introduction to Computer and Network Security. Module: Authentication

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Security Handshake Pitfalls

AUTHENTICATION APPLICATION

Security Handshake Pitfalls

10/1/2015. Authentication. Outline. Authentication. Authentication Mechanisms. Authentication Mechanisms. Authentication Mechanisms

CSE543 - Introduction to Computer and Network Security. Module: Authentication

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

Network Security CHAPTER 31. Solutions to Review Questions and Exercises. Review Questions

L7: Key Distributions. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

CIS 6930/4930 Computer and Network Security. Topic 7. Trusted Intermediaries

CPSC 467b: Cryptography and Computer Security

Acknowledgments. CSE565: Computer Security Lectures 16 & 17 Authentication & Applications

Information Security CS 526

Password. authentication through passwords

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Cryptography and Network Security

Real-time protocol. Chapter 16: Real-Time Communication Security

Introduction. Trusted Intermediaries. CSC/ECE 574 Computer and Network Security. Outline. CSC/ECE 574 Computer and Network Security.

Authentication. Strong Password Protocol. IT352 Network Security Najwa AlGhamdi

CS 494/594 Computer and Network Security

Security: Focus of Control. Authentication

Session key establishment protocols

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to talk so much?!? Content taken from the following:

Cryptographic Checksums

Cryptographic Protocols 1

Session key establishment protocols

CIS 4360 Secure Computer Systems Applied Cryptography

Kerberos and Public-Key Infrastructure. Key Points. Trust model. Goal of Kerberos

Chapter 9: Key Management

Trusted Intermediaries

AIT 682: Network and Systems Security

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

User Authentication Protocols

Elements of Security

Authentication in real world: Kerberos, SSH and SSL. Zheng Ma Apr 19, 2005

User Authentication Protocols Week 7

Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena

Security: Focus of Control

CSCE 813 Internet Security Kerberos

User Authentication. Modified By: Dr. Ramzi Saifan

Key distribution and certification

13/10/2013. Kerberos. Key distribution and certification. The Kerberos protocol was developed at MIT in the 1980.

In any of these cases, an unauthorized user may be able to gain access to services and data that he or she is not authorized to access.

Distributed Systems Principles and Paradigms

Authentication Protocols

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to share so many secrets?!?

Spring 2010: CS419 Computer Security

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

CSC/ECE 774 Advanced Network Security

"When you have crossed the river and have advanced a little further, some aged women weaving at the loom will beg you to lend a hand for a short

Strong Password Protocols

Digital Signatures. Secure Digest Functions

Network Security (NetSec)

Radius, LDAP, Radius, Kerberos used in Authenticating Users

User Authentication. Modified By: Dr. Ramzi Saifan

Security and Privacy in Computer Systems. Lecture 7 The Kerberos authentication system. Security policy, security models, trust Access control models

EEC-682/782 Computer Networks I

(2½ hours) Total Marks: 75

CSC 774 Network Security

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Key Establishment and Authentication Protocols EECE 412

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

Lecture 1: Course Introduction

Datasäkerhetsmetoder föreläsning 7

Securing Internet Communication: TLS

The Kerberos Authentication System Course Outline

ECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

Applied Cryptography and Computer Security CSE 664 Spring 2017

CS 161 Computer Security

Computer Networks & Security 2016/2017

Fall 2010/Lecture 32 1

Security issues in Distributed Systems

Module: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

Network Security. Kerberos and other Frameworks for Client Authentication. Dr. Heiko Niedermayer Cornelius Diekmann. Technische Universität München

KEY DISTRIBUTION AND USER AUTHENTICATION

From Coulouris, Dollimore and Kindberg Distributed Systems: Concepts and Design. Edition 4 Pearson Education 2005

Digital Signatures. Public-Key Signatures. Arbitrated Signatures. Digital Signatures With Encryption. Terminology. Message Authentication Code (MAC)

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Persistent key, value storage

1 Identification protocols

Outline More Security Protocols CS 239 Computer Security February 6, 2006

Other Uses of Cryptography. Cryptography Goals. Basic Problem and Terminology. Other Uses of Cryptography. What Can Go Wrong? Why Do We Need a Key?

Key Establishment. Chester Rebeiro IIT Madras. Stinson : Chapter 10

Network Security (NetSec)

This chapter examines some of the authentication functions that have been developed to support network-based use authentication.

CS Protocols. Prof. Clarkson Spring 2016

Transcription:

CSCI 667: Concepts of Computer Security Lecture 9 Prof. Adwait Nadkarni 1 Derived from slides by William Enck, Micah Sherr, Patrick McDaniel, Peng Ning, and Vitaly Shmatikov

Authentication Alice? Bob? 2

Three Flavors of Credentials are evidence used to prove identity Credentials can be 1. Something I am 2. Something I have 3. Something I know 3

Web Authentication (still based on something you know ) 4

Web Authentication Authentication is a bi-directional process Client Server Mutual authentication Several standard authentication tools Basic (client) Digest (client) Secure Socket Layer (server, mutual) 5

Basic Authentication CLIENT GET /protected/index.html HTTP/1.0 CLIENT HTTP/1.0 401 Unauthorized WWW-Authenticate: Basic realm= Private GET /protected/index.html HTTP/1.0 Authorization: Basic JA87JKAs3NbBDs CLIENT 6

Basic Authentication -- is this secure? Encoded! = Encrypted Passwords easy to intercept (base-64 encoded; not encrypted) Passwords: easy to guess easy to share No server authentication - easy to fool client into sending password to malicious server 7

Digest Authentication CLIENT CLIENT GET /protected/index.html HTTP/1.1 HTTP/1.1 401 Unauthorized WWW-Authenticate: Digest realm= Private nonce= 98bdc1f9f017.. GET /protected/index.html HTTP/1.1 Authorization: Digest username= lstein realm= Private nonce= 98bdc1f9f017.. response= 5ccc069c4.. CLIENT 8

Challenge/Response Challenge nonce is a one time random string/value nonce = H(IPaddress : timestamp : server secret) more generally, a nonce is number or string (often randomly or pseudorandomly chosen) that is only used once Response: challenge hashed with username and password response = H(H(name : realm : password) :nonce : H(request)) 9

Advantages of Digest over Basic Cleartext password never transmitted across network Cleartext password never stored on server Replay attacks difficult Intercepted response only valid for a single URL Shared disadvantages Vulnerable to man-in-the-middle attacks (no serverside auth) Document itself can be sniffed 10

Authentication Handshakes Secure communication almost always includes an initial authentication handshake. Authenticate each other Establish session keys This process is not trivial; flaws in this process undermine secure communication 11

Authentication with Shared Secret Alice I m Alice A challenge R f(k Alice-Bob, R) Bob Weaknesses Authentication is not mutual; Trudy can convince Alice that she is Bob Trudy can hijack the conversation after the initial exchange If the shared key is derived from a password, Trudy can mount an off-line password guessing attack Trudy may compromise Bob s database and later impersonate Alice 12

Authentication with Shared Secret (Cont d) Alice I m Alice K Alice-Bob {R} R Bob A variation Requires reversible cryptography Other variations are possible Weaknesses All the previous weaknesses remain Trudy doesn t have to see R to mount off-line password guessing if R has certain patterns (e.g., concatenated with a timestamp) Trudy sends a message to Bob, pretending to be Alice 13

Authentication with Public Key Alice I m Alice R Sig Alice {R} Bob Bob s database is less risky Weaknesses Authentication is not mutual; Trudy can convince Alice that she is Bob Trudy can hijack the conversation after the initial exchange Trudy can trick Alice into signing something Mitigation: Use different private key for authentication 14

Authentication with Public Key (Cont d) Alice I m Alice {R} Alice R Bob A variation 15

Mutual Authentication Alice I m Alice R 1 f(k Alice-Bob, R 1 ) Bob R 2 f(k Alice-Bob, R 2 ) Optimize Alice I m Alice, R 2 R 1,f(K Alice-Bob, R 2 ) f(k Alice-Bob, R 1 ) Bob 16

Mutual Authentication (Cont d) Reflection attack Trudy I m Alice, R 2 R 1,f(K Alice-Bob, R 2 ) f(k Alice-Bob, R 1 ) Bob Trudy I m Alice, R 1 R 3,f(K Alice-Bob, R 1 ) Bob 17

Reflection Attacks (Cont d) Lesson: Don t have Alice and Bob do exactly the same thing Different keys Totally different keys K Alice-Bob = K Bob-Alice + 1 Different Challenges The initiator should be the first to prove its identity Assumption: initiator is more likely to be the bad guy 18

Mutual Authentication (Cont d) Password guessing Alice I m Alice, R 2 R 1,f(K Alice-Bob, R 2 ) f(k Alice-Bob, R 1 ) Bob Countermeasure Alice I m Alice R 1 Bob f(k Alice-Bob, R 1 ), R 2 f(k Alice-Bob, R 2 ) 19

Mutual Authentication (Cont d) Public keys Authentication of public keys is a critical issue Alice I m Alice, {R 2 } Bob R 2, {R 1 } Alice Bob R 1 20

Mutual Authentication (Cont d) Mutual authentication with timestamps Require synchronized clocks Alice and Bob have to encrypt different timestamps Alice I m Alice, f(k Alice-Bob, timestamp) f(k Alice-Bob, timestamp+1) Bob 21

Integrity/Encryption for Data Communication after mutual authentication should be cryptographically protected as well Require a session key established during mutual authentication 22

Establishment of Session Keys Secret key based authentication Assume the following authentication happened. Can we use K Alice-Bob {R} as the session key? Can we use K Alice-Bob {R+1} as the session key? In general, modify K Alice-Bob and encrypt R. Use the result as the session key. Alice I m Alice R K Alice-Bob {R} Bob 23

Establishment of Session Keys (Cont d) Two-way public key based authentication 1. Alice chooses a random number R, encrypts it with Bob s public key, result used as session key. Trudy may hijack the conversation 2. Alice encrypts and signs R Trudy may save all the traffic, and decrypt all the encrypted traffic when she is able to compromise Bob Less severe threat 24

Two-Way Public Key Based Authentication (Cont d) A better approach Alice chooses and encrypts R 1 with Bob s public key Bob chooses and encrypts R 2 with Alice s public key Session key is R 1 ÅR 2 Trudy will have to compromise both Alice and Bob An even better approach Alice and Bob establish the session key with Diffie-Hellman key exchange Alice and Bob sign the quantity they send Trudy can t learn anything about the session key even if she compromises both Alice and Bob 25

Establishment of Session Keys (Cont d) One-way public key based authentication It s only necessary to authenticate the server Example: SSL Encrypt R with Bob s public key Diffie-Hellman key exchange Bob signs the D-H public key 26

Mediated Authentication (With KDC) KDC operation (in principle) Alice Alice wants Bob K Bob {K AB } KDC K Alice {K AB } Generate K AB Bob Some concerns Trudy may claim to be Alice and talk to KDC Trudy cannot get anything useful Messages encrypted by Alice may get to Bob before KDC s message It may be difficult for KDC to connect to Bob 27

Mediated Authentication (With KDC) KDC operation (in practice) Alice Alice wants Bob Generate K AB KDC Bob K Alice {K AB }, K Bob {K AB } K Bob {K AB } ticket Must be followed by a mutual authentication exchange To confirm that Alice and Bob have the same key 28

Needham-Schroeder Protocol Classic protocol for authentication with KDC Many others have been modeled after it (e.g., Kerberos) Nonce: A number that is used only once Deal with replay attacks Alice N 1, Alice wants Bob Generate K AB KDC Bob K Alice {N 1, Bob, K AB, ticket to Bob}, where ticket to Bob = K Bob {K AB, Alice} ticket to Bob, K AB {N 2 } K AB {N 2-1, N 3 } K AB {N 3-1} 29

Needham-Schroeder Protocol (Cont d) A vulnerability When Trudy gets a previous key used by Alice, Trudy may reuse a previous ticket issued to Bob for Alice Essential reason The ticket to Bob stays valid even if Alice changes her key 30

Expanded Needham-Schroeder Protocol I want to talk to you K Bob {N B } Alice N 1, Alice wants Bob, K Bob {N B } K Alice {N 1, Bob, K AB, ticket to Bob}, where ticket to Bob = K Bob {K AB, Alice, N B } Generate K AB ; extract N B KDC Bob ticket to Bob, K AB {N 2 } K AB {N 2-1, N 3 } K AB {N 3-1} The additional two messages assure Bob that the initiator has talked to KDC since Bob generates N B 31

Kerberos 33

Kerberos An online system that resists password eavesdropping and achieves mutual authentication First single sign-on system (SSO) Easy application integration API Most widely used (non-web) centralized password system in existence Now part of Windows network authentication 34

Kerberos Overview User proves his identity; requests ticket for some service Knows all users and servers passwords User receives ticket User Ticket is used to access desired network service Servers

What Should a Ticket Look Like? User Ticket gives holder access to a network service Server Ticket cannot include server s plaintext password Otherwise, next time user will access server directly without proving his identity to authentication service Solution: encrypt some information with a key known to the server (but not the user!) Server can decrypt ticket and verify information User does not learn server s key 36

What should a ticket include? User Encrypted ticket Knows passwords of all users and servers Encrypted ticket Server User name Server name Address of user s workstation -- WHY? Ticket lifetime -- WHY? A few other things (e.g., session key) 37

Two-Step Authentication Prove identity once to obtain special TGS ticket Use TGS to get tickets for any network service Joe the User USER=Joe; service=tgs Encrypted TGS ticket TGS ticket Encrypted service ticket Encrypted service ticket Key distribution center (KDC) Ticket granting service (TGS) File server, printer, other network services 38

Not quite good enuf... Ticket hijacking Malicious user may steal the service ticket of another user on the same workstation and use it IP address verification does not help Servers must verify that the user who is presenting the ticket is the same user to whom the ticket was issued No server authentication Attacker may misconfigure the network so that he receives messages addressed to a legitimate server Capture private information from users and/or deny service Servers must prove their identity to users We want mutual authentication 39

Symmetric Keys in Kerberos Kc is long-term key of client C Derived from user s password Known to client and key distribution center (KDC) KTGS is long-term key of TGS Known to KDC and ticket granting service (TGS) Kv is long-term key of network service V Known to V and TGS; separate key for each service Kc,TGS is short-term session key between C and TGS Created by KDC, known to C and TGS Kc,v is short-term session key between C and V Created by TGS, known to C and V 40

Brace yourself! It s Kerberos time! Three-step process: Logon -- obtain TGS ticket from KDC Obtain service ticket from TGS Use service 41

Single Logon Authentication kinit program (client) Key Distribution Center (KDC) password ID c, ID TGS, time c User Convert into client master key K c Encrypt K c (K c,tgs, ID TGS, time KDC, lifetime, ticket TGS ) Decrypts with K c and obtains K c,tgs and Fresh key to be used between client and TGS ticket TGS Encrypt KTGS (K c,tgs, ID c, Addr c, ID TGS, time KDC, lifetime) Client will use this unforgeable ticket to get other tickets without re-authenticating TGS Key = K TGS Key = K c All users must pre-register their passwords with KDC Client only needs to obtain TGS ticket once (say, every morning) Ticket is encrypted; client cannot forge it or tamper with it 42

Obtaining a Service Ticket Client Knows K c,tgs and ticket TGS Encrypt Kc,TGS (ID c, Addr c, time c ) Proves that client knows key Kc,TGS contained in encrypted TGS ticket Ticket Granting Service (TGS) usually lives inside KDC System command, e.g. lpr Pprint ID v, ticket TGS, auth C User Encrypt K c,tgs(k c,v, ID v, time TGS, lifetime, ticket v ) Fresh key to be used between client and service Knows key K v for each service Encrypt Kv (K c,v, ID c, Addr c, ID v, time TGS, lifetime) Client will use this unforgeable ticket to get access to service V Client uses TGS ticket to obtain a service ticket and a short-term key for each network service One encrypted, unforgeable ticket per service (printer, email, etc.) 43

Obtaining Service Client Knows K c,v and ticket v Encrypt Kc,v (ID c, Addr c, time c ) Proves that client knows key K c,v contained in encrypted ticket Server V System command, e.g. lpr Pprint ticket v, auth C User Encrypt K c,v(time c +1) Authenticates server to client Reasoning: Server can produce this message only if he knows key Kc,v. Server can learn key Kc,v only if he can decrypt service ticket. Server can decrypt service ticket only if he knows correct key Kv. If server knows correct key Kv, then he is the right server. For each service request, client uses the short-term key for that service and the ticket he received from TGS 44

Cross-Realm Kerberos Extend philosophy to more servers Obtain ticket from TGS for foreign Realm Supply to TGS of foreign Realm Rinse and repeat as necessary There is no problem so hard in computer science that it cannot be solved by another layer of indirection. David Wheeler, Cambridge University (circa 1950) 45

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback