Session Key Distribution

Similar documents
Security Handshake Pitfalls

Key Establishment. Chester Rebeiro IIT Madras. Stinson : Chapter 10

Applied Cryptography and Computer Security CSE 664 Spring 2017

Station-to-Station Protocol

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Cryptographic Checksums

Spring 2010: CS419 Computer Security

L7: Key Distributions. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

Chapter 9: Key Management

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

CIS 6930/4930 Computer and Network Security. Topic 6.2 Authentication Protocols

Elements of Security

What did we talk about last time? Public key cryptography A little number theory

Authentication Handshakes

CSC 474/574 Information Systems Security

BAN Logic. Logic of Authentication 1. BAN Logic. Source. The language of BAN. The language of BAN. Protocol 1 (Needham-Schroeder Shared-Key) [NS78]

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

CIS 6930/4930 Computer and Network Security. Topic 7. Trusted Intermediaries

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Key Agreement. Guilin Wang. School of Computer Science, University of Birmingham

Introduction. Trusted Intermediaries. CSC/ECE 574 Computer and Network Security. Outline. CSC/ECE 574 Computer and Network Security.

Session key establishment protocols

Session key establishment protocols

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

User Authentication Protocols

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Lecture 1: Course Introduction

Trusted Intermediaries

AIT 682: Network and Systems Security

Security protocols and their verification. Mark Ryan University of Birmingham

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

CSCI 667: Concepts of Computer Security. Lecture 9. Prof. Adwait Nadkarni

ECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

HY-457 Information Systems Security

User Authentication Protocols Week 7

CSCE 813 Internet Security Kerberos

Overview. Cryptographic key infrastructure Certificates. May 13, 2004 ECS 235 Slide #1. Notation

Lecture 6.2: Protocols - Authentication and Key Exchange II. CS 436/636/736 Spring Nitesh Saxena. Course Admin

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Outline. Login w/ Shared Secret: Variant 1. Login With Shared Secret: Variant 2. Login Only Authentication (One Way) Mutual Authentication

Security Handshake Pitfalls

Network Security CHAPTER 31. Solutions to Review Questions and Exercises. Review Questions

Identification Schemes

Computer Networks & Security 2016/2017

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Security and Privacy in Computer Systems. Lecture 7 The Kerberos authentication system. Security policy, security models, trust Access control models

Outline More Security Protocols CS 239 Computer Security February 6, 2006

S. Erfani, ECE Dept., University of Windsor Network Security

Security Handshake Pitfalls

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

Topics. Dramatis Personae Cathy, the Computer, trusted 3 rd party. Cryptographic Protocols

Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena

Network Security and Internet Protocols

Outline More Security Protocols CS 239 Computer Security February 4, 2004

Acknowledgments. CSE565: Computer Security Lectures 16 & 17 Authentication & Applications

Network Security (NetSec)

Outline. More Security Protocols CS 239 Security for System Software April 22, Needham-Schroeder Key Exchange

ECEN 5022 Cryptography

CS3235 Seventh set of lecture slides

Cryptanalysis of Two Password-Authenticated Key Exchange. Protocols between Clients with Different Passwords

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

8.7 Authentication Protocols

CSC 482/582: Computer Security. Security Protocols

CS Protocols. Prof. Clarkson Spring 2016

Fall 2010/Lecture 32 1

Symmetric Encryption

Lecture 15 PKI & Authenticated Key Exchange. COSC-260 Codes and Ciphers Adam O Neill Adapted from

CS 161 Authentication Protocols. Zero knowledge review

Information Security & Privacy

Authentication Protocols

Information Security CS 526

Computer Security 4/12/19

CS Computer Networks 1: Authentication

CPSC 467: Cryptography and Computer Security

Test 2 Review. (b) Give one significant advantage of a nonce over a timestamp.

Grenzen der Kryptographie

Unit-VI. User Authentication Mechanisms.

Digital Signatures. Public-Key Signatures. Arbitrated Signatures. Digital Signatures With Encryption. Terminology. Message Authentication Code (MAC)

CS 161 Computer Security

Lecture 7 - Applied Cryptography

Verification of security protocols introduction

Modelling and Analysing of Security Protocol: Lecture 1. Introductions to Modelling Protocols. Tom Chothia CWI

AUTHENTICATION APPLICATION

Course Administration

1 A Tale of Two Lovers

2.1 Basic Cryptography Concepts

(More) cryptographic protocols

Chapter 10: Key Management

CSC 5930/9010 Modern Cryptography: Public Key Cryptography

Computer Security. 10. Exam 2 Review. Paul Krzyzanowski. Rutgers University. Spring 2017

Key Establishment and Authentication Protocols EECE 412

Key Agreement Schemes

Lecture 4: Authentication Protocols

Lecture 9. Authentication & Key Distribution

T Cryptography and Data Security

The Kerberos Authentication System Course Outline

Applied Cryptography Basic Protocols

Transcription:

Session Key Distribution The TA shares secret keys with network users. The TA chooses session keys and distributes them in encrypted form upon request of network users. We will need to define appropriate attack models and adversarial goals. It is difficult to formulate precise definitions because SKDS often do not include mutual identification of Alice and Bob. In this lecture, we mainly give a historical tour of some SKDS. Lecture 11, Oct. 15, 2003 1

Protocol: Needham-Schroeder SKDS (1978) 1. Alice chooses a random number, r A. Alice sends ID(Alice), ID(Bob) andr A to the TA. 2. The TA chooses a random session key, K. Then it computes t Bob = e KBob (K ID(Alice)) (a ticket to Bob) and y 1 = e KAlice (r A ID(Bob) K t Bob ) and sends y 1 to Alice. 3. Alice decrypts y 1 using her key K Alice, obtaining K and t Bob. Then Alice sends t Bob to Bob. 4. Bob decrypts t Bob using his key K Bob, obtaining K. Then, Bob chooses a random number r B and computes y 2 = e K (r B ). Bob sends y 2 to Alice. 5. Alice decrypts y 2 using the session key K, obtaining r B.Then Alice computes y 3 = e K (r B 1) and sends y 3 to Bob. Lecture 11, Oct. 15, 2003 2

Validity Checks in the NS Protocol in this protocol, the term validitiy checks refers to checking that decrypted data has correct format and contains expected information (there are no MACs being used in the NS SKDS) when Alice decrypts y 1, she checks to see that the plaintext d KAlice (y 1 )=r A ID(Bob) K t Bob for some K and t Bob if the above condition holds, then Alice accepts, otherwise Alice rejects when Bob decrypts y 3, he checks to see that the plaintext d K (y 3 )=r B 1 if the above condition holds, then Bob accepts, otherwise Bob rejects Lecture 11, Oct. 15, 2003 3

The Needham-Schroeder SKDS (diagram) TA A B t B = e B (K A) A, B, r A e A (r A B K t B ) t B e K (r B ) e K (r B 1) Lecture 11, Oct. 15, 2003 4

Denning-Sacco Known Session-key Attack (1981) suppose Oscar records a session of the Needham-Schroeder protocol between Alice and Bob, and somehow obtains the session key, K Oscar can initiate a new session of the Needham-Schroeder protocol by sending the previously used ticket, t B,toBob: Oscar Bob t B = e B (K A) e K (r B ) e K (r B 1) Lecture 11, Oct. 15, 2003 5

Consequences of the Denning-Sacco Attack Bob thinks he has a new session key, K, shared with Alice this new key K is known to Oscar, but it probably is not known to Alice (she may have thrown away the key K after the previous session terminated) in any reasonable formulation of adversarial goals, this would be considered a successful attack! Lecture 11, Oct. 15, 2003 6

Protocol: Simplified Kerberos V5 (1989) 1. Alice chooses a random number, r A. Alice sends ID(Alice), ID(Bob) andr A to the TA. 2. The TA chooses a random session key K and a validity period (or lifetime), L. Then it computes t Bob = e KBob (K ID(Alice) L) and y 1 = e KAlice (r A ID(Bob) K L) and sends t Bob and y 1 to Alice. 3. Alice decrypts y 1 using her key K Alice, obtaining K. Then Alice deterimines the current time, time A, computes y 2 = e K (ID(Alice) time A ) and she sends t Bob and y 2 to Bob. 4. Bob decrypts t Bob using his key K Bob, obtaining K. Then, Bob computes y 3 = e K (time A ). Bob sends y 3 to Alice. 5. Alice decrypts y 3 using the session key K, and verifies that time A is the result. Lecture 11, Oct. 15, 2003 7

Validity Checks in Kerberos when Alice decrypts y 1, she checks to see that the plaintext d KAlice (y 1 )=r A ID(Bob) K L for some K and L if the above condition does not hold, then Alice rejects and aborts the current session when Bob decrypts y 2 and t Bob, he checks to see that the plaintext d K (y 3 )=ID(Alice) time A and the plaintext d KBob (t Bob )=K ID(Alice) L, whereid(alice) isthesame in both plaintexts and time A L if the above conditions hold, then Bob accepts, otherwise Bob rejects when Alice decrypts y 3,shechecksthatd K (y 3 )=time A if the above condition holds, then Alice accepts, otherwise Alice rejects Lecture 11, Oct. 15, 2003 8

Kerberos V5 (diagram) TA A B A, B, r A t B,y 1 t B,y 2 e K (time A ) where t B = e B (K A L), y 1 = e A (r A B K L), and y 2 = e K (A time A ) Lecture 11, Oct. 15, 2003 9

Comments on NS and Kerberos (1) Steps 1 3 of NS comprise key distribution; steps 4 and 5 provide key confirmation from Alice to Bob. In Kerberos, mutual key confirmation is accomplished in steps 3 and 4. (2) In NS, information intended for Bob is doubly encrypted, which adds unnecessary complexity to the protocol; this double encryption was removed in Kerberos. (3) Partial protection against the Denning-Sacco replay attack is provided in Kerberos by the authenticated timestamp, y 2. However: timestamps require reliable, synchronized clocks; and protocols using timestamps are hard to analyze and it is difficult to give convincing security proofs for them. For the above reasons, random challenges may be preferred to timestamps. Lecture 11, Oct. 15, 2003 10

CommentsonNSandKerberos(cont.) (4) It is not a good idea to use the session key, K, to encrypt information in an SKDS, because information about K may be revealed; this makes it difficult to ensure semantic security of the session key. (5) Key confirmation is not required for an SKDS protocol to be considered secure! Furthermore, possession of a key during the SKDS does not imply possession of the key at a later time. For these reasons, it is now generally recommended that key confirmation be omitted from SKDS. (6) In NS and Kerberos, encryption is used to provide both secrecy and authenticity it is better to use a MAC to provide authenticity. Lecture 11, Oct. 15, 2003 11

Improving the Second Flow of NS It is better to remove the double encryption and use MACs for authentication: 2. The TA chooses a random session key K. Then it computes t Bob = e KBob (K ID(Alice)) and y 1 = e KAlice (r A ID(Bob) K t Bob ) and sends y 1 to Alice.... should be replaced by the following: 2. The TA chooses a random session key K. Then it computes and y 1 =(e KBob (K), MAC Bob (ID(Alice) e KBob (K)), y 1 =(e KAlice (K), MAC Alice (ID(Bob) r A e KAlice (K)) The TA sends y 1 to Bob (possibly via Alice) and y 1 to Alice. Lecture 11, Oct. 15, 2003 12

Further Discussion the revised second flow does not fix the flaw in NS found by Denning and Sacco (note that a similar attack can be carried out in Kerberos within the specified lifetime of the key) the flow structure of the protocol must be modified: a secure protocol should involve Bob as an active participant prior to his receiving the session key, in order to prevent Denning-Sacco type replay attacks the solution is to have Alice contact Bob (or vice versa) before sending a request to the TA we present a modern, secure protocol due to Bellare and Rogaway Lecture 11, Oct. 15, 2003 13

Protocol: Bellare-Rogaway SKDS (1995) 1. Alice chooses a random number, r A, and she sends ID(Alice) and r A to Bob. 2. Bob chooses a random number, r B, and he sends ID(Alice), ID(Bob), r A and r B to the TA. 3. The TA chooses a random session key K. Then it computes y B =(e KBob (K), MAC Bob (ID(Alice) ID(Bob) r B e KBob (K)) and y A =(e KAlice (K), MAC Alice (ID(Bob) ID(Alice) r A e KAlice (K)) The TA sends y B to Bob and y A to Alice. 4. Alice decrypts y A using her key K Alice, obtaining K. Bob decrypts y B using his key K Bob, obtaining K. Lecture 11, Oct. 15, 2003 14

Comments on the Bellare-Rogaway Protocol (honest) Alice and Bob accept if the MACs they receive are valid, and the random challenges (r a and r b, respectively) in the MACs are the same as the ones that they chose in steps 1 and 2 of the protocol the TA is authenticated to Alice and Bob by the use of MACs in step 3 the protocol does not include authentication of Alice to Bob, or of Bob to Alice, or of Alice or Bob to the TA the protocol also does not provide key confirmation (from Alice to Bob, or from Bob to Alice) however, the protocol is a secure (unauthenticated) key distribution protocol, which means that it satisfies certain security properties in a known session key attack, which will be discussed in the next lecture Lecture 11, Oct. 15, 2003 15

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback