Lecture 6.2: Protocols - Authentication and Key Exchange II. CS 436/636/736 Spring Nitesh Saxena. Course Admin

Similar documents
Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Lecture 3.4: Public Key Cryptography IV

Spring 2010: CS419 Computer Security

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Lecture 9: Network Level Security IPSec

Lecture 15 PKI & Authenticated Key Exchange. COSC-260 Codes and Ciphers Adam O Neill Adapted from

CIS 4360 Secure Computer Systems Applied Cryptography

CS 161 Computer Security

Key Agreement. Guilin Wang. School of Computer Science, University of Birmingham

Information Security CS 526

Session key establishment protocols

Auth. Key Exchange. Dan Boneh

Session key establishment protocols

KEY AGREEMENT PROTOCOLS. CIS 400/628 Spring 2005 Introduction to Cryptography. This is based on Chapter 13 of Trappe and Washington

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

CSC 5930/9010 Modern Cryptography: Public Key Cryptography

Fall 2010/Lecture 32 1

Lecture 2 Applied Cryptography (Part 2)

Data Security and Privacy. Topic 14: Authentication and Key Establishment

L13. Reviews. Rocky K. C. Chang, April 10, 2015

T Cryptography and Data Security

Key Establishment. Chester Rebeiro IIT Madras. Stinson : Chapter 10

Public Key Algorithms

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

CS 6324: Information Security More Info on Key Establishment: RSA, DH & QKD

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Computer Networks & Security 2016/2017

Key Establishment and Authentication Protocols EECE 412

Applied Cryptography and Computer Security CSE 664 Spring 2017

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

CS Computer Networks 1: Authentication

Network Security (NetSec)

Station-to-Station Protocol

Identification Schemes

Real-time protocol. Chapter 16: Real-Time Communication Security

Diffie-Hellman. Part 1 Cryptography 136

Cryptographic Protocols 1

18733: Applied Cryptography Anupam Datta (CMU) Basic key exchange. Dan Boneh

Key Agreement Schemes

CS 494/594 Computer and Network Security

Session Key Distribution

CS Protocol Design. Prof. Clarkson Spring 2017

1. Diffie-Hellman Key Exchange

Cryptography Lecture 9 Key distribution and trust, Elliptic curve cryptography

(More) cryptographic protocols

Key Exchange. References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings

Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Modelling and Analysing of Security Protocol: Lecture 1. Introductions to Modelling Protocols. Tom Chothia CWI

Homework 3: Solution

CS Protocols. Prof. Clarkson Spring 2016

Outline. Login w/ Shared Secret: Variant 1. Login With Shared Secret: Variant 2. Login Only Authentication (One Way) Mutual Authentication

Public Key Algorithms

Lecture 15 Public Key Distribution (certification)

Authentication in Distributed Systems

CS 395T. Formal Model for Secure Key Exchange

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Security and Privacy in Computer Systems. Lecture 7 The Kerberos authentication system. Security policy, security models, trust Access control models

CSC 474/574 Information Systems Security

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Acknowledgments. CSE565: Computer Security Lectures 16 & 17 Authentication & Applications

Digital Signatures. Public-Key Signatures. Arbitrated Signatures. Digital Signatures With Encryption. Terminology. Message Authentication Code (MAC)

CPSC 467: Cryptography and Computer Security

Lecture 13. Public Key Distribution (certification) PK-based Needham-Schroeder TTP. 3. [N a, A] PKb 6. [N a, N b ] PKa. 7.

Software Security and Intro to Cryptography

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Other Topics in Cryptography. Truong Tuan Anh

COMPUTER & NETWORK SECURITY

Datasäkerhetsmetoder föreläsning 7

Security Handshake Pitfalls

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Module: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

Preventing Attackers From Using Verifiers: A-PAKE With PK-Id

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

CSE 127: Computer Security Cryptography. Kirill Levchenko

Security. Alessandro Margara Slides based on previous work by Matteo Migliavacca and Alessandro Sivieri

Authentication Handshakes

Lecture 20: Public-key Encryption & Hybrid Encryption. Public-key Encryption

Advanced Cryptography 1st Semester Symmetric Encryption

Network Working Group. Category: Informational September 1999

Introduction to Cryptography and Security Mechanisms. Abdul Hameed

Chapter 9: Key Management

ECE 646 Lecture 3. Key management

CSC 474/574 Information Systems Security

CSC/ECE 774 Advanced Network Security

Course Administration

Software Security Design Principles + Intro to Crypto

22-security.txt Tue Nov 27 09:13: Notes on Security Protocols , Fall 2012 Carnegie Mellon University Randal E.

PROTECTING CONVERSATIONS

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

Public Key Algorithms

Cryptographic protocols

Lecture 3: Symmetric Key Encryption

Public-Key Encryption, Key Exchange, Digital Signatures CMSC 23200/33250, Autumn 2018, Lecture 7

Chapter 9. Public Key Cryptography, RSA And Key Management

David Wetherall, with some slides from Radia Perlman s security lectures.

Cryptographic Checksums

Inter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

CS3235 Seventh set of lecture slides

Transcription:

Lecture 6.2: Protocols - Authentication and Key II CS 436/636/736 Spring 2012 Nitesh Saxena Mid-Term Grading Course Admin Will be done over the break Scores will be posted online and graded exams distribute post-break Will email the solution set too Any questions regarding the exam Perhaps we can quickly review? 2 1

Course Admin HW3 will be posted after the Spring break Due in 12-14 days as usual 3 Outline of Today s lecture Today we try to put everything together Encryption (public-key/private-key) MACs Signing Key-Distribution Secure protocols (for secure communication) Authentication We studied it somewhat while talking about key distribution (Authenticated-) Key Designing secure protocols is hard we ll only be able to learn the basics today We ll use the board extensively today be prepared to take notes 4 2

MAC-based Authentication 1. A B: A, ra 2. B A: rb, HMAC K (rb, ra, A) 3. A B: HMAC K (ra, rb,b) Faster than enc-based protocols (computationally) 5 Public-key based authentication (Needham-Shroeder (NS) pk-based) Assuming public keys are distributed through CA(s) 1. A B: Enc pkb (ra, A) 2. B A: Enc pka (ra, rb) 3. A B: Enc pkb (rb) 6 3

Attack and fix on PK-based NS protocol Attack: Fix: 1. A B: Enc pkb (ra, A) 2. B A: Enc pka (ra, rb,b) 3. A B: Enc pkb (rb) 7 Signature-based authentication (assuming public keys are distributed through CA) A auth B A B: Hi Bob, this is Alice! B A: r (a challenge) A B: Sig SKa (r,b)(response) A auth B, B auth A(run two copies; piggyback common flows) A B: A, ra (could sign this too) B A: rb, Sig SKb (rb, ra, A) A B: Sig SKa (ra,rb,b) 8 4

Authenticated Key (AKE) Public-key operations are costly Why not 1. use public-key mutual authentication protocols to exchange a symmetric key 2. use this symmetric key with a symmetric encryption to secure subsequent communication 9 Security Notion for AKE Launch protocol between any pair Reveal all session key except one Try to distinguish the key of the unrevealed session from random This captures: the compromise of other sessions should not lead to the compromise of any other session 10 5

AKE Protocol 1. A B: A, ra, Enc PKb (K) (mustsign this too??) 2. B A: rb, Sig SKb (rb, ra, A) 3. A B: Sig SKa (ra, rb, B) 4. A and B output K as the authenticated key Such a protocol can be instantiated using RSA encryption/signing The way SSL/SSH establishes key But, generally only the server authenticates to the client, not vice versa 11 X.509: One-Way Authentication 1 message ( A->B) used to establish the identity of A and that message is from A message was intended for B integrity& originality of message A 1-A {ta,ra,b,sgndata,kub[kab]} B Ta-timestamp ra=nonce B =identity sgndata=signed with A s private key 12 6

X.509: Two-Way Authentication 2 messages (A->B, B->A) which also establishes in addition: the identity of B and that reply is from B that reply is intended for A integrity & originality of reply A 1-A {ta,ra,b,sgndata,kub[kab]} 2-B {tb,rb,a,sgndata,kua[kba]} B 13 X.509: Three-Way Authentication 3 messages (A->B, B->A, A->B) which enables above authentication without the need for synchronized clocks 1- A {ta,ra,b,sgndata,kub[kab]} A 2 -B {tb,rb,a,sgndata,kua[kab]} 3- A{rb} B 14 7

Discrete Logarithm Assumption p, q primes such that q p-1 g be the generator of Z p * g is an element of order q and generates a group G q of order q; g = g (p-1)/q x in Z q, y = g x mod p Given (p, q, g, y), it is computationally hard to compute x No polynomial time algorithm known p should be 1024-bits and q be 160-bits x becomes the private key and y becomes the public key 15 Example of DL-based system Let s construct an example KeyGen: p = 11, q = 2 or 5; let s say q = 5 2 is a generator of Z 11 * g = 2 2 = 4 x = 2; y = 4 2 mod 11 = 5 16 8

Diffie-Hellman (DH) Key 1. A B: K a = g a mod p 2. B A: K b = g b mod p 3. A outputs K ab = K b a 4. B outputs K ba = K a b Note K ab = K ba = g ab mod p 17 Security of DH key exchange No authentication of either party Secure only against a passive adversary Under the computational Diffie-Hellman assumption Given (g, g a,g b ), hard to compute g ab Not secure against an active attacker Man-in-the-middle attack 18 9

Authenticated DH Key 1. A B: K a = g a mod p 2. B A: Cert b, K b = g b mod p Enc Kba [Sig SKb (K b, K a )] 3. A B: Cert a, Enc Kab [Sig SKa (K a,k b )] 4. A outputs K ab = K b a 5. B outputs K ba = K a b 19 Summary Designing secure protocols is not easy Becomes harder in a concurrent setting, where there are multiple parties, executing multiple instances of the protocols simultaneously Becomes even harder as the number of parties increase; n-party or group setting Use the protocols that are well-studied and standardized While designing a protocol, consider Reflection attacks Replay attacks Eliminating any symmetry in the messages 20 10

HAC chapter 10 Stallings Chapter 15 Further Reading 21 11

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback