Key Establishment and Authentication Protocols EECE 412

Similar documents
Ideal Security Protocol. Identify Friend or Foe (IFF) MIG in the Middle 4/2/2012

Diffie-Hellman. Part 1 Cryptography 136

Real-time protocol. Chapter 16: Real-Time Communication Security

CS 494/594 Computer and Network Security

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

CIS 4360 Secure Computer Systems Applied Cryptography

CS 161 Computer Security

Authentication. Strong Password Protocol. IT352 Network Security Najwa AlGhamdi

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Spring 2010: CS419 Computer Security

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

Chapter 9 Public Key Cryptography. WANG YANG

ECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

CS 6324: Information Security More Info on Key Establishment: RSA, DH & QKD

Session key establishment protocols

Test 2 Review. (b) Give one significant advantage of a nonce over a timestamp.

Session key establishment protocols

Kurose & Ross, Chapters (5 th ed.)

Applied Cryptography and Computer Security CSE 664 Spring 2017

PROTECTING CONVERSATIONS

Key Exchange. References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings

Test 2 Review. 1. (10 points) Timestamps and nonces are both used in security protocols to prevent replay attacks.

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Strong Password Protocols

Outline. Login w/ Shared Secret: Variant 1. Login With Shared Secret: Variant 2. Login Only Authentication (One Way) Mutual Authentication

Cryptographic Protocols 1

Authentication Part IV NOTE: Part IV includes all of Part III!

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

1. Diffie-Hellman Key Exchange

Module: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

CS Computer Networks 1: Authentication

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Authenticating People and Machines over Insecure Networks

ח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Computer Networks & Security 2016/2017

2.1 Basic Cryptography Concepts

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Introduction to Cryptography Lecture 7

What did we talk about last time? Public key cryptography A little number theory

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

Authentication Handshakes

Password. authentication through passwords

Auth. Key Exchange. Dan Boneh

Public Key Algorithms

Cryptographic Checksums

Overview. Public Key Algorithms I

ECEN 5022 Cryptography

CSC 474/574 Information Systems Security

Encryption. INST 346, Section 0201 April 3, 2018

Security Handshake Pitfalls

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

Chapter 9: Key Management

L7: Key Distributions. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

Computer Security. 10. Exam 2 Review. Paul Krzyzanowski. Rutgers University. Spring 2017

Other Uses of Cryptography. Cryptography Goals. Basic Problem and Terminology. Other Uses of Cryptography. What Can Go Wrong? Why Do We Need a Key?

Lecture 30. Cryptography. Symmetric Key Cryptography. Key Exchange. Advanced Encryption Standard (AES) DES. Security April 11, 2005

Symmetric Encryption 2: Integrity

Key Agreement. Guilin Wang. School of Computer Science, University of Birmingham

Lecture 2 Applied Cryptography (Part 2)

Public Key Algorithms

CSE 127: Computer Security Cryptography. Kirill Levchenko

Applied Cryptography Protocol Building Blocks

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Modern cryptography 2. CSCI 470: Web Science Keith Vertanen

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

UNIT - IV Cryptographic Hash Function 31.1

Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena

Introduction to Cryptography Lecture 7

Number Theory and RSA Public-Key Encryption

Keywords Session key, asymmetric, digital signature, cryptosystem, encryption.

Uzzah and the Ark of the Covenant

CSCI 667: Concepts of Computer Security. Lecture 9. Prof. Adwait Nadkarni

Public-key Cryptography: Theory and Practice

Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

CSC 474/574 Information Systems Security

Part VI. Public-key cryptography

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

SECURITY IN NETWORKS

CS 161 Computer Security

Robust EC-PAKA Protocol for Wireless Mobile Networks

Fall 2010/Lecture 32 1

Basic Concepts and Definitions. CSC/ECE 574 Computer and Network Security. Outline

Other Topics in Cryptography. Truong Tuan Anh

Computer Networking. What is network security? Chapter 7: Network security. Symmetric key cryptography. The language of cryptography

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

18733: Applied Cryptography Anupam Datta (CMU) Basic key exchange. Dan Boneh

Key Establishment. Chester Rebeiro IIT Madras. Stinson : Chapter 10

CSC/ECE 774 Advanced Network Security

Digital Signatures. Luke Anderson. 7 th April University Of Sydney.

A robust smart card-based anonymous user authentication protocol for wireless communications

Overview. Cryptographic key infrastructure Certificates. May 13, 2004 ECS 235 Slide #1. Notation

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Chapter 9. Public Key Cryptography, RSA And Key Management

Cryptographic Systems

SECURITY IN NETWORKS 1

Transcription:

Key Establishment and Authentication Protocols EECE 412 1

where we are Protection Authorization Accountability Availability Access Control Data Protection Audit Non- Repudiation Authentication Cryptography Service Continuity Disaster Recovery Requirements Assurance Assurance Design Assurance Development Assurance Operational Assurance 2

The security of a cryptosystem must not depend on keeping secret the crypto-algorithm. The security depends only on keeping secret the key Auguste Kerckhoff von Nieuwenhof Dutch linguist 1883 3

session key with mutual authentication using symmetric key I m Alice, R A R B, E( Bob, R A, K AB ) Alice E( Alice, R B, K S, K AB ) Bob 4

FPS session key with mutual authentication using symmetric key I m Alice, R A R B, E( Bob, R A, g b mod p, K AB ) Alice E( Alice, R B, g a mod p, K AB ) Bob 5

Outline 1. Diffie-Hellman key exchange 2. mutual authentication in networks 3. perfect forward secrecy 6

learning objectives You should be able to analyze key establishment and authentication protocols and identify their vulnerabilities improve or design new key establishment and authentication protocols 7

Notation X Y : { Z W } k X,Y == E( Z, W, kx,y) X sends Y the message produced by concatenating Z and W enciphered by key k X,Y, which is shared by users X and Y A T : { Z } k A { W } k A,T A sends T a message consisting of the concatenation of Z enciphered using k A, A s key, and W enciphered using k A,T, the key shared by A and T r 1, r 2 nonces ( nonrepeating random numbers) 8

TLS example CipherSuite TLS_RSA_WITH_AES_256_CBC_SHA = { 0x00, 0x35 }; CipherSuite TLS_DH_RSA_WITH_AES_256_CBC_SHA = { 0x00, 0x37 }; 9

Diffie-Hellman Key Exchange 10

important trivia Invented by Williamson (GCHQ) and, independently, by D and H (Stanford) A key exchange algorithm Used to establish a shared symmetric key Not for encrypting or signing Security rests on difficulty of discrete log problem: given g, p, and g k mod p find k 11

how it works Let p be prime, let g be a generator For any x {1,2,,p-1} there is n s.t. x = gn mod p 1. Alice selects secret value a 2. Bob selects secret value b 3. Alice sends g a mod p to Bob 4. Bob sends g b mod p to Alice 5. Both compute shared secret g ab mod p e.g., Bob computes (g a ) b mod p = g ab mod p 12

why it s hard to attack Suppose that Bob and Alice use g ab mod p as a symmetric key Trudy can see g a mod p and g b mod p Note ga g b mod p = g a+b mod p g ab mod p If Trudy can find a or b, system is broken If Trudy can solve discrete log problem, then she can find a or b 13

Public: g and p the protocol Secret: Alice s exponent a, Bob s exponent b g a mod p g b mod p Alice, a Bob, b Alice computes (g b ) a = g ba = g ab mod p Bob computes (g a ) b = g ab mod p Could use K = g ab mod p as symmetric key 14

Man-in-the-Middle Attack g a mod p g t mod p g t mod p g b mod p Alice, a Trudy, t Bob, b Trudy shares secret g at mod p with Alice Trudy shares secret g bt mod p with Bob Alice and Bob don t know Trudy exists! 15

how to prevent MiM attack? Encrypt DH exchange with symmetric key Encrypt DH exchange with public key Sign DH values with private key Other? You MUST be aware of MiM attack on Diffie-Hellman 16

Authentication Protocols 17

basics Alice must prove her identity to Bob Alice and Bob can be humans or computers May also require Bob to prove he s Bob (mutual authentication) May also need to establish a session key May have other requirements, such as Use only public keys Use only symmetric keys Use only a hash function Anonymity, plausible deniability, etc., etc. 18

why authentication can be hard? relatively simple on a stand-alone computer Secure path is the primary issue main concern is an attack on authentication software much more complex over a network attacker can passively observe messages attacker can replay messages active attacks may be possible (insert, delete, change messages) 19

simple authentication I m Alice Alice Prove it My password is frank Bob Simple and may be OK for standalone system But insecure for networked system Subject to a replay attack (next 2 slides) Bob must know Alice s password 20

authentication attack I m Alice Alice Prove it My password is frank Bob Trudy 21

authentication Attack I m Alice Trudy Prove it My password is frank Bob This is a replay attack How can we prevent a replay? 22

Simple Authentication I m Alice, My password is frank Alice Bob More efficient But same problem as previous version 23

Better Authentication I m Alice Alice Prove it h(alice s password) Bob Better since it hides Alice s password From both Bob and attackers But still subject to replay 24

challenge-response To prevent replay, challenge-response used Suppose Bob wants to authenticate Alice Challenge sent from Bob to Alice Only Alice can provide the correct response Challenge chosen so that replay is not possible How to accomplish this? Password is something only Alice should know For freshness, a number used once or nonce 25

illustration Monty Python and the Holy Grail (1h18m) 26

simple challenge-response I m Alice Alice Nonce h(alice s password, Nonce) Bob Nonce is the challenge The hash is the response Nonce prevents replay, insures freshness Password is something Alice knows Note that Bob must know Alice s password 27

general challenge-response I m Alice Nonce Alice Something that could only be from Alice (and Bob can verify) Bob What can we use to achieve this? Hashed pwd works, crypto might be better 28

symmetric key notation Encrypt plaintext P with key K C = E(P,K) Decrypt ciphertext C with key K P = D(C,K) Here, we are concerned with attacks on protocols, not directly on the crypto We assume that crypto algorithm is secure 29

authentication with symmetric key Alice and Bob share symmetric key K AB key K AB known only to Alice and Bob authenticate by proving knowledge of shared symmetric key how to accomplish this? must not reveal key must not allow replay attack 30

authentication with symmetric key I m Alice R E(R,K AB ) Alice, K AB Bob, K AB Secure method for Bob to authenticate Alice Alice does not authenticate Bob Can we achieve mutual authentication? 31

mutual authentication? I m Alice, R E(R,K AB ) Alice E(R,K AB ) Bob What s wrong with this picture? Alice could be Trudy (or anybody else)! 32

Mutual Authentication Since we have a secure one-way authentication protocol The obvious thing to do is to use the protocol twice Once for Bob to authenticate Alice Once for Alice to authenticate Bob This has to work 33

Mutual Authentication I m Alice, R A R B, E(R A,K AB ) Alice E(R B,K AB ) Bob This provides mutual authentication Is it secure? 34

attack on mutual authentication 1. I m Alice, R A 2. R B, E(R A,K AB ) Trudy 5. E(R B,K AB ) Bob Trudy 3. I m Alice, R B 4. R C, E(R B,K AB ) Bob 35

Notes on Mutual Authentication Our one-way authentication protocol not secure for mutual authentication Protocols are subtle! The obvious thing may not be secure Also, if assumptions or environment changes, protocol may not work This is a common source of security failure For example, Internet protocols 36

mutual authentication with symmetric key I m Alice, R A R B, E( Bob, R A, K AB ) Alice E( Alice, R B, K AB ) Bob Do these insignificant changes help? Yes! 37

session key with mutual authentication using symmetric key I m Alice, R A R B, E( Bob, R A, K AB ) Alice E( Alice, R B, K S, K AB ) Bob 38

Perfect Forward Secrecy 39

Perfect Forward Secrecy The concern Alice encrypts message with shared key K AB and sends ciphertext to Bob Trudy records ciphertext and later attacks Alice s (or Bob s) computer to find K AB Then Trudy decrypts recorded messages Perfect forward secrecy (PFS): Trudy cannot later decrypt recorded ciphertext Even if Trudy gets key K AB Is PFS possible? or other secret(s) 40

Perfect Forward Secrecy For perfect forward secrecy, Alice and Bob cannot use K AB to encrypt Instead they must use a session key K S and forget it after it s used Problem: How can Alice and Bob agree on session key K S and insure PFS? 41

naïve session key protocol E(K S, K AB ) E(messages, K S ) Alice, K AB Bob, K AB Trudy could also record E(K S,K AB ) If Trudy gets K AB, she gets K S 42

perfect forward secrecy Can use Diffie-Hellman for PFS Recall Diffie-Hellman: public g and p g a mod p g b mod p Alice, a Bob, b But Diffie-Hellman is subject to MiM How to get PFS and prevent MiM? 43

PFS session key via DH E(g a mod p, K AB ) E(g b mod p, K AB ) Alice, a Bob, b Session key K S = gab mod p Alice forgets a, Bob forgets b Ephemeral Diffie-Hellman Not even Alice and Bob can later recover K S Other ways to do PFS? 44

mutual authentication with symmetric key I m Alice, R A R B, E( Bob, R A, K AB ) Alice E( Alice, R B, K AB ) Bob Do these insignificant changes help? Yes! 45

FPS session key with mutual authentication using symmetric key I m Alice, R A R B, E( Bob, R A, g b mod p, K AB ) Alice E( Alice, R B, g a mod p, K AB ) Bob 46

Outline 1. Diffie-Hellman key exchange 2. mutual authentication in networks 3. perfect forward secrecy 47

learning objectives You should be able to analyze key establishment and authentication protocols and identify their vulnerabilities improve or design new key establishment and authentication protocols 48

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback