Session key establishment protocols

Similar documents
Session key establishment protocols

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Key Agreement. Guilin Wang. School of Computer Science, University of Birmingham

Appendix A: Introduction to cryptographic algorithms and protocols

Message authentication

Station-to-Station Protocol

Elements of Security

Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Applied Cryptography and Computer Security CSE 664 Spring 2017

Spring 2010: CS419 Computer Security

T Cryptography and Data Security

Key Establishment. Chester Rebeiro IIT Madras. Stinson : Chapter 10

Outline More Security Protocols CS 239 Computer Security February 6, 2006

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Outline. More Security Protocols CS 239 Security for System Software April 22, Needham-Schroeder Key Exchange

Authentication in Distributed Systems

Applied Cryptography Basic Protocols

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Grenzen der Kryptographie

Identification Schemes

Authentication Handshakes

User Authentication Protocols

CSC 474/574 Information Systems Security

Outline More Security Protocols CS 239 Computer Security February 4, 2004

Network Security (NetSec)

Security Handshake Pitfalls

Key Establishment and Authentication Protocols EECE 412

Information Security CS 526

User Authentication Protocols Week 7

Module: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

CS 161 Computer Security

Other Uses of Cryptography. Cryptography Goals. Basic Problem and Terminology. Other Uses of Cryptography. What Can Go Wrong? Why Do We Need a Key?

CIS 6930/4930 Computer and Network Security. Topic 6.2 Authentication Protocols

Cryptographic Protocols 1

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Security protocols and their verification. Mark Ryan University of Birmingham

Real-time protocol. Chapter 16: Real-Time Communication Security

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

Chapter 10 : Private-Key Management and the Public-Key Revolution

Fall 2010/Lecture 32 1

Authenticated Key Agreement without Subgroup Element Verification

Security Handshake Pitfalls

Summary on Crypto Primitives and Protocols

CS 494/594 Computer and Network Security

What did we talk about last time? Public key cryptography A little number theory

CSCI 667: Concepts of Computer Security. Lecture 9. Prof. Adwait Nadkarni

CS 6324: Information Security More Info on Key Establishment: RSA, DH & QKD

1. Diffie-Hellman Key Exchange

Outline. Login w/ Shared Secret: Variant 1. Login With Shared Secret: Variant 2. Login Only Authentication (One Way) Mutual Authentication

(2½ hours) Total Marks: 75

CSC 5930/9010 Modern Cryptography: Public Key Cryptography

Key Agreement Schemes

CS Computer Networks 1: Authentication

Contents Digital Signatures Digital Signature Properties Direct Digital Signatures

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

L7: Key Distributions. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

Computer Security 3e. Dieter Gollmann. Chapter 15: 1

Ideal Security Protocol. Identify Friend or Foe (IFF) MIG in the Middle 4/2/2012

ECEN 5022 Cryptography

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Acknowledgments. CSE565: Computer Security Lectures 16 & 17 Authentication & Applications

Security Handshake Pitfalls

CT30A8800 Secured communications

Robust EC-PAKA Protocol for Wireless Mobile Networks

Lecture 1: Course Introduction

Exercises with solutions, Set 3

Security Analysis of Shim s Authenticated Key Agreement Protocols from Pairings

Chapter 9 Public Key Cryptography. WANG YANG

Network Security and Internet Protocols

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Chapter 9: Key Management

Cryptography and Network Security Chapter 13. Digital Signatures & Authentication Protocols

Security: Focus of Control. Authentication

CS 161 Computer Security

Public-key Cryptography: Theory and Practice

Computer Networks & Security 2016/2017

Digital Signatures. Public-Key Signatures. Arbitrated Signatures. Digital Signatures With Encryption. Terminology. Message Authentication Code (MAC)

2.1 Basic Cryptography Concepts

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

BAN Logic. Logic of Authentication 1. BAN Logic. Source. The language of BAN. The language of BAN. Protocol 1 (Needham-Schroeder Shared-Key) [NS78]

Security Handshake Pitfalls

Formal Methods for Assuring Security of Computer Networks

CIS 4360 Secure Computer Systems Applied Cryptography

ECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

Strong Password Protocols

Lecture 4: Authentication Protocols

Cryptographic Checksums

CSC/ECE 774 Advanced Network Security

Proofs for Key Establishment Protocols

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

CSC 774 Network Security

CS Protocol Design. Prof. Clarkson Spring 2017

KEY AGREEMENT PROTOCOLS. CIS 400/628 Spring 2005 Introduction to Cryptography. This is based on Chapter 13 of Trappe and Washington

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

6. Security Handshake Pitfalls Contents

A Critical Analysis and Improvement of AACS Drive-Host Authentication

Transcription:

our task is to program a computer which gives answers which are subtly and maliciously wrong at the most inconvenient possible moment. -- Ross Anderson and Roger Needham, Programming Satan s computer Session key establishment protocols - basic concepts, definitions, and classification - key transport based on symmetric encryption - key transport based on public-key encryption - key agreement based on asymmetric techniques

Goal and motivitaion Basic concepts, definitions, and classification goal of key establishment protocols to setup a shared secret between two (or more parties it is desired that the secret established by a fixed pair of parties varies on subsequent executions of the protocol (dynamicity established shared secret is used as a session key to protect communication between the parties motivation for use of session keys to limit available ciphertext for cryptanalysis to limit exposure caused by the compromise of a session key to avoid long-term storage of a large number of secret keys (keys are created on-demand when actually required to create independence across communication sessions or applications 2

Basic classification Basic concepts, definitions, and classification key transport protocols one party creates or otherwise obtains a secret value, and securely transfers it to the other party key agreement protocols a shared secret is derived by the parties as a function of information contributed by each, such that no party can predetermine the resulting value 3

Further protocol characterestics Basic concepts, definitions, and classification provided guarantees entity authentication one party is assured about the identity of a second party with which it is communicating implicit key authentication one party is assured that no other party aside from a specifically identified second party (and possibly some trusted third parties may gain access to the established session key key confirmation one party is assured that a second (possibly unidentified party actually possesses the session key possession of a key can be demonstrated by producing a one-way hash value of the key or encryption of known data with the key explicit key authentication implicit key authentication + key confirmation key freshness one party is assured that the key is new (never used before key control in some protocols, one of the parties control the value of the key (key transport, in others, no party can control (predict its value (key agreement 4

Further protocol characterestics Basic concepts, definitions, and classification reciprocity guarantees are provided unilaterally guarantees are provided mutually efficiency number of message exchanges (passes required total number of bits transmitted (i.e., bandwidth used complexity of computations by each party possibility of precomputations to reduce on-line computational complexity third party requirements on-line, off-line, or no third party at all degree and type of trust required in the third party system setup distribution of initial keying material 5

Attacker model Basic concepts, definitions, and classification it is assumed that the underlying cryptographic primitives (such as encryption, hash functions, etc used in the protocol are secure the attacker is not a cryptanalyst, but someone who tries to subvert the protocol objectives by defeating the manner in which the crypto primitives are combined in the protocol it is assumed that the network used by the protocol parties is under the full control of the attacker the attacker can delete, insert, and modify messages, replay old messages as well as messages from concurrent protocol runs with no noticeable delay essentially, honest parties send and receive messages to and from the attacker who can decide whether to pass them on or carry out some of the above actions 6

Attacker model Basic concepts, definitions, and classification sometimes it is assumed that the attacker has access to additional information beyond what is generally available compromise of past session keys obviously, the corresponding session is compromised can this be used by the attacker to compromise future sessions? if not, then the protocol resists against known-key attacks compromise of long-term secrets (symmetric keys or private keys obviously, owners of compromised keys can be impersonated in future sessions can this be used by the attacker to compromise past session keys? if not, then the protocol provides break-backward protection or perfect forward secrecy 7

Attacker model Basic concepts, definitions, and classification objectives of the attacker deduce a long-term key the attacker obtains the long-term key of a honest party A deduce a session key the attacker obtains a session key shared between two honest parties A and B masquerade as a honest party B to A A believes that he established a session key with B, but in fact he established the key with the attacker deceive a honest party A regarding the identity of the other party attack types A believes that he established a session key with B, but in fact he established the key with another honest party C the attacker does not know the established session key passive eavesdropping man-in-the-middle: participating covertly in the protocol run between two parties and modifying messages unnoticeably interleaving: initiating one or more protocol executions (possibly simultaneously and interleave messages from different executions 8

The Wide-Mouth-Frog protocol Key transport based on symmetric encryption summary: a simple key transport protocol that uses a trusted third party generates the session key and sends it to via the trusted third party generate k A, E Kas ( B, k, T a Server E Kbs ( A, k, T s characteristics: key control for implicit key authentication for explicit key authentication for key freshness for with timestamps (flawed unilateral entity authentication of on-line third party (Server trusted for secure relaying of keys and verification of freshness, in addition A is trusted for generating good keys initial long-term keys between the parties and the server are required 9

A flaw in the Wide-Mouth-Frog protocol summary: after observing one run of the protocol, Trudy can continuously use the Server as an oracle until she wants to bring about re-authentication between and Key transport based on symmetric encryption Server B, E ( A, k, T K bs s E ( B, k, T K as s (1 A, E ( B, k, T K as s (1 E ( A, k, T K bs s (2... Trudy E K bs ( A, k, T s (n 10

The Needham-Schroeder protocol Key transport based on symmetric encryption summary: requests a session key from the Server; the Server generates the key and sends it to and to via ; and performs entity authentication and key confirmation A, B, r a Server E Kas (r a, B, k, E Kbs (k, A generate k E Kbs (k, A E k (r b E k (r b -1 characteristics: mutual entity authentication, mutual explicit key authentication, key freshness with fresh random numbers (flawed, on-line third party trusted for generation of session keys, initial long-term keys between the parties and the server are required 11

A flaw in the Needham-Schroeder protocol assumption: Trudy recorded a successful run of the protocol and compromised the session key k; thus, she knows k and E Kbs (k, A Key transport based on symmetric encryption summary: Trudy masquerades as to and makes accept the old and compromised session key k Trudy E Kbs (k, A E k (r b E k (r b -1 12

The Kerberos protocol Key transport based on symmetric encryption summary: essentially the Needham-Schroeder protocol with timestamps the protocol is optimized with respect to the original Needham-Schroeder protocol (fewer messages and no double encryption in the second message A, B, r a Server E Kas (k, r a, L, B, E Kbs (k, A, L generate k E Kbs (k, A, L, E k (A, T a E k ( T a characteristics: mutual entity authentication, mutual explicit key authentication, key freshness with timestamp and random number, clock synchronization is required, on-line third party trusted for generation of session keys, initial long-term keys between the parties and the server are required 13

The Needham-Schroeder public-key protocol Key transport based on public-key encryption summary: originally a challenge-response type mutual authentication protocol based on public-key encryption only (no signatures; however, since the random numbers exchanged never appear in clear, it was suggested to derive a session key from them P Kb (r a, A P Ka (r a, r b P Kb ( r b key derivation: both party computes k = f(r a, r b characteristics: mutual entity authentication, mutual implicit key authentication (flawed, no key confirmation, key freshness with random numbers, no party can control the key, off-line third party for issuing public key certificates may be required, initial exchange of public keys between the parties may be required 14

Lowe s attack Key transport based on public-key encryption assumption: Mallory is a malicious user, his public key is K m summary: when starts the protocol with Mallory, he can masquerade as to ; Mallory uses as an oracle to decrypt a message received from ; if the protocol is used for key establishment, then falsely believes that he shares a secret key with, but indeed he shares it with Mallory P Km (r a, A P Ka (r a, r b P Km ( r b Mallory P Kb (r a, A P Ka (r a, r b P Kb ( r b 15

Encrypting signed keys summary: generates a session key, sings it, then encrypts it with s public key, and sends it to Key transport based on public-key encryption generate k P Kb (A, k, T a, S Ka (B, k, T a characteristics: unilateral entity authentication (of, mutual implicit key authentication, key confirmation for, key freshness with timestamp, clock synchronization needed, off-line third party for issuing public key certificates may be required, initial exchange of public keys between the parties may be required, is trusted to generate keys, non-repudiation guarantee for notes: the ID of in the signature prevents from sending the signed key on to another party and impersonating ; the ID of in the encrypted message is a hint for that helps him to choose the right key for verification of the signature. 16

Signing encrypted keys Key transport based on public-key encryption summary: generates a session key, encrypts it with s public key, then sings it, and sends it to generate k T a, P Kb (A, k, S Ka (T a, P Kb (A, k characteristics: unilateral entity authentication (of, mutual implicit key authentication, no key confirmation, key freshness with timestamp, clock synchronization, off-line third party for issuing public key certificates may be required, initial exchange of public keys between the parties may be required, is trusted to generate keys, non-repudiation guarantee for notes: the ID of in the encrypted message is a hint for that helps him to choose the right key for verification of the signature an advantage of this protocol over the encrypting signed keys protocol is that here less data is encrypted (almost surely fits in the block size 17

The Diffie-Hellman protocol Key agreement based on asymmetric techniques summary: a key agreement protocol based on one-way functions; in particular, security of the protocol is based on the hardness of the discrete logarithm problem and that of the Diffie-Hellman problem assumptions: p is a large prime, g is a generator of Z p*, both are publicly known system parameters select random x compute g x mod p compute k = (g y x mod p g x mod p g y mod p select random y compute g y mod p compute k = (g x y mod p characteristics: NO AUTHENTICATION, key freshness with randomly selected exponents, no party can control the key, no need for a trusted third party 18

The Station-to-Station protocol Key agreement based on asymmetric techniques summary: three-pass variation of the basic Diffie-Hellman protocol; it uses digital signatures to provide mutual entity authentication and mutual explicit key authentication select random x compute g x mod p compute k = (g y x mod p g x mod p g y mod p, E k (S Kb (g y, g x E k (S Ka (g x, g y select random y compute g y mod p compute k = (g x y mod p characteristics: mutual entity authentication, mutual explicit key authentication, key freshness with random exponents, no party can control the key, off-line third party for issuing public key certificates may be required, initial exchange of public keys between the parties may be required 19

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback