CIS 6930/4930 Computer and Network Security. Topic 6.2 Authentication Protocols

Similar documents
Authentication Handshakes

CSC 474/574 Information Systems Security

Security Handshake Pitfalls

CSCI 667: Concepts of Computer Security. Lecture 9. Prof. Adwait Nadkarni

6. Security Handshake Pitfalls Contents

Outline. Login w/ Shared Secret: Variant 1. Login With Shared Secret: Variant 2. Login Only Authentication (One Way) Mutual Authentication

Security Handshake Pitfalls

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

10/1/2015. Authentication. Outline. Authentication. Authentication Mechanisms. Authentication Mechanisms. Authentication Mechanisms

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

Security Handshake Pitfalls

Security Handshake Pitfalls

CIS 6930/4930 Computer and Network Security. Topic 7. Trusted Intermediaries

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Trusted Intermediaries

AIT 682: Network and Systems Security

Spring 2010: CS419 Computer Security

CIS 6930/4930 Computer and Network Security. Final exam review

Network Security CHAPTER 31. Solutions to Review Questions and Exercises. Review Questions

Introduction. Trusted Intermediaries. CSC/ECE 574 Computer and Network Security. Outline. CSC/ECE 574 Computer and Network Security.

User Authentication Protocols Week 7

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

User Authentication Protocols

Elements of Security

L7: Key Distributions. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

Authentication. Strong Password Protocol. IT352 Network Security Najwa AlGhamdi

Cryptographic Checksums

Fall 2010/Lecture 32 1

Session key establishment protocols

Acknowledgments. CSE565: Computer Security Lectures 16 & 17 Authentication & Applications

Cryptographic Protocols 1

Session key establishment protocols

Chapter 9: Key Management

EEC-682/782 Computer Networks I

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Security protocols and their verification. Mark Ryan University of Birmingham

Information Security CS 526

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena

What did we talk about last time? Public key cryptography A little number theory

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Password. authentication through passwords

Lecture 1: Course Introduction

8.7 Authentication Protocols

Security and Privacy in Computer Systems. Lecture 7 The Kerberos authentication system. Security policy, security models, trust Access control models

Overview. Cryptographic key infrastructure Certificates. May 13, 2004 ECS 235 Slide #1. Notation

CSC/ECE 774 Advanced Network Security

Other Uses of Cryptography. Cryptography Goals. Basic Problem and Terminology. Other Uses of Cryptography. What Can Go Wrong? Why Do We Need a Key?

Distributed Systems Principles and Paradigms

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Outline. More Security Protocols CS 239 Security for System Software April 22, Needham-Schroeder Key Exchange

Ideal Security Protocol. Identify Friend or Foe (IFF) MIG in the Middle 4/2/2012

CPSC 467b: Cryptography and Computer Security

CSC 774 Network Security

Lecture 4: Authentication Protocols

Authentication Protocols. Outline. Who Is Authenticated?

Outline More Security Protocols CS 239 Computer Security February 6, 2006

Chapter 8. Network Security. Cryptography. Need for Security. An Introduction to Cryptography 10/7/2010

(2½ hours) Total Marks: 75

Network Security. Chapter 8. MYcsvtu Notes.

Real-time protocol. Chapter 16: Real-Time Communication Security

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

AIT 682: Network and Systems Security

Session Key Distribution

Cryptography and Network Security Chapter 13. Digital Signatures & Authentication Protocols

Outline More Security Protocols CS 239 Computer Security February 4, 2004

Strong Password Protocols

Key distribution and certification

13/10/2013. Kerberos. Key distribution and certification. The Kerberos protocol was developed at MIT in the 1980.

CS 494/594 Computer and Network Security

1 Identification protocols

Chapter 8. Network Security. Need for Security. An Introduction to Cryptography. Transposition Ciphers One-Time Pads

Computer Security 4/12/19

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

CS Protocols. Prof. Clarkson Spring 2016

Cryptology Part 1. Terminology. Basic Approaches to Cryptography. Basic Approaches to Cryptography: (1) Transposition (continued)

Contents Digital Signatures Digital Signature Properties Direct Digital Signatures

CSC 5930/9010 Modern Cryptography: Public Key Cryptography

This chapter examines some of the authentication functions that have been developed to support network-based use authentication.

CSE Computer Security

INFSCI 2935: Introduction of Computer Security 1. Courtesy of Professors Chris Clifton & Matt Bishop. INFSCI 2935: Introduction to Computer Security 2

Network Security Chapter 8

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to talk so much?!? Content taken from the following:

CS3235 Seventh set of lecture slides

Computer Networks & Security 2016/2017

Distributed Systems Principles and Paradigms. Chapter 09: Security

CSC 482/582: Computer Security. Security Protocols

Digital Signatures. Public-Key Signatures. Arbitrated Signatures. Digital Signatures With Encryption. Terminology. Message Authentication Code (MAC)

Network Security. Chapter 7 Cryptographic Protocols

Cryptography and Network Security

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Outline Key Management CS 239 Computer Security February 9, 2004

"When you have crossed the river and have advanced a little further, some aged women weaving at the loom will beg you to lend a hand for a short

CS Protocol Design. Prof. Clarkson Spring 2017

Chapter 10 : Private-Key Management and the Public-Key Revolution

Persistent key, value storage

Authentication in real world: Kerberos, SSH and SSL. Zheng Ma Apr 19, 2005

Transcription:

CIS 6930/4930 Computer and Network Security Topic 6.2 Authentication Protocols 1

Authentication Handshakes Secure communication almost always includes an initial authentication handshake. Authenticate each other Establish session keys This process is not trivial; flaws in this process undermine secure communication 2

Authentication with Shared Secret I m A challenge R f(k -, R) Weaknesses Authentication is not mutual; Trudy can convince that she is Trudy can hijack the conversation after the initial exchange If the shared key is derived from a password, Trudy can mount an off-line password guessing attack 3

Authentication with Shared Secret (Cont d) I m K - {R} R Weaknesses still cannot authenticate Trudy can easily get pairs of (plaintext, ciphertext) Trudy can hijack the conversation after the initial exchange Other vulnerability? 4

Authentication with Public Key I m R Sig {R} Weaknesses Authentication is not mutual; Trudy can convince that she is Trudy can hijack the conversation after the initial exchange Trudy can trick into signing something 5

Authentication with Public Key (Cont d) I m {R} R A variation What can trick to do? 6

Mutual Authentication I m R 1 f(k -, R 1 ) R 2 f(k -, R 2 ) Optimize I m, R 2 R 1, f(k -, R 2 ) f(k -, R 1 ) 7

Mutual Authentication (Cont d) Reflection attack Trudy I m, R 2 R 1, f(k -, R 2 ) f(k -, R 1 ) Trudy I m, R 1 R 3, f(k -, R 1 ) 8

Reflection Attacks (Cont d) Lesson: Don t have and do exactly the same thing Different keys Totally different keys K - = K - + 1 Different Challenges: and s challenges cannot be the same The initiator should be the first to prove its identity Assumption: initiator is more likely to be the bad guy 9

Mutual Authentication (Cont d) I m, R 2 R 1, f(k -, R 2 ) f(k -, R 1 ) I m R 1 Countermeasure f(k -, R 1 ), R 2 f(k -, R 2 ) 10

Mutual Authentication (Cont d) Public keys Authentication of public keys is a critical issue I m, {R 2 } R 2, {R 1 } R 1 11

Mutual Authentication (Cont d) Mutual authentication with timestamps Require synchronized clocks and have to encrypt different timestamps I m, f(k -, timestamp) f(k -, timestamp+1) 12

Integrity/Encryption for Data Communication after mutual authentication should be cryptographically protected as well Require a session key established during mutual authentication 13

Establishment of Session Keys Secret key based authentication Assume the following authentication happened. Can we use K - {R} as the session key? Can we use K - {R+1} as the session key? Can we use K - +1 {R} as the session key? In general, modify K - and encrypt R. Use the result as the session key. I m R K - {R} 14

Establishment of Session Keys Secret key based authentication Can we use f(k -, R 1 ), or f(k -, R 2 ) as the session key? Can we use f(k -, R 1 +1), or f(k -, R 2 +1) as the session key? Can we use f(k - +1, R 1 ), or f(k - +1, R 2 ) as the session key? I m R 1 f(k -, R 1 ), R 2 f(k -, R 2 ) 15

Two-Way Public Key Based Authentication Approach I chooses and encrypts R 1 with s public key chooses and encrypts R 2 with s public key Session key is R 1 R 2 Trudy will have to compromise both and Approach II and establish the session key with Diffie-Hellman key exchange and signs the quantity they send 17

Establishment of Session Keys (Cont d) One-way public key based authentication It s only necessary to authenticate the server encrypts R with the server s public key Diffie-Hellman key exchange signs the D-H public key 18

Trusted Key Servers How do a large number of users authenticate each other? inefficient / impractical for every pair of users to negotiate a secret key or share passwords Alternative: everybody shares a key with (and authenticates to) a single trusted third party Assumes there is a way to negotiate a key with the third party 19

Trusted (cont d) Shared keys between the Key Distribution Center (KDC) and users A B K A-KDC KDC K E-KDC K C-KDC K D-KDC C E D 20

(Simplified) Example of Use wishes to communicate securely with ; has previously negotiated K A-KDC with the KDC, has negotiated K B-KDC 1. requests from the KDC a session key to use with 2. KDC generates session key K S, sends to, encrypted with K A-KDC 3. KDC also sends K S to, encrypted with K B-KDC and can then communicate using K S 21

Assessment Simplifies mutual authentication / key negotiation, but secure against attacks? robust to failures? efficient? 22

A Hierarchy of KDCs For an Internet, not practical to have a single KDC instead, imagine one KDC per domain To communicate securely with user in your own domain, just contact your domain s KDC To talk with user in another domain, your KDC needs to contact the other domain s KDC KDCs must be able to authenticate each other and communicate securely 23

Hierarchy (cont d) A K A-K1 K B-K1 KDC-1 Domain 2 B C K C-K1 K E-K2 E KDC-2 Domain 1 K D-K2 D 24

Mediated Authentication (With KDC) KDC operation (in principle) wants to talk to K {K AB } KDC Generate K AB K {K AB } Some concerns Trudy may claim to be and talk to KDC Trudy cannot get anything useful Messages encrypted by using K AB may arrive at before KDC s message K {K AB } arrive It may be difficult for KDC to connect to 25

Mediated Authentication (With KDC) KDC operation (in practice) wants to talk to K {K AB }, K {K AB } Generate K AB KDC K {K AB } ticket Must be followed by a mutual authentication exchange To confirm that and have the same key 26

Needham-Schroeder Protocol Classic protocol for authentication with KDC Many others have been modeled after it (e.g., Kerberos) N 1, wants to talk to K {N 1,, K AB, ticket to }, where ticket to = K {K AB, } Generate K AB KDC ticket to, K AB {N 2 } K AB {N 2 1, N 3 } K AB {N 3 1} How is authenticated? How is authenticated? How is KDC authenticated? What are the N s used for? Why is N-1 needed? 27

Needham-Schroeder Protocol (Cont d) A vulnerability When Trudy gets a previous key K AB used by, Trudy may reuse a previous ticket issued to for Essential reason The ticket to stays valid even if changes her key 28

Expanded Needham-Schroeder Protocol I want to talk to you K {N B } Generate K AB ; extract N B N 1, wants to talk to, K {N B } K {N 1,, K AB, ticket to }, where ticket to = K {K AB,, N B } KDC ticket to, K AB {N 2 } K AB {N 2 1, N 3 } K AB {N 3 1} 29

Otway-Rees Protocol N C,,, K {N A, N C,, } Generate K AB Extract N B KDC K {N A, N C,, }, K {N B, N C,, } N C, K {N A, K AB }, K {N B, K AB } K {N A, K AB } K AB {anything recognizable} Only has five messages KDC checks if N C matches in both cipher-texts Make sure that is really 30

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback