Timestamps and authentication protocols

Similar documents
A new key recovery attack on the ANSI retail MAC

Remote user authentication using public information

A novel stateless authentication protocol

Security of the Lin-Lai smart card based user authentication scheme

New attacks on the MacDES MAC Algorithm. 1st July Two new attacks are given on a CBC-MAC algorithm due to Knudsen and Preneel, [2],

Efficient Compilers for Authenticated Group Key Exchange

Ubiquitous One-Time Password Service Using Generic Authentication Architecture

OPTIMISTIC NON-REPUDIABLE INFORMATION EXCHANGE

Tailoring Authentication Protocols. to Match Underlying Mechanisms? Liqun Chen, Dieter Gollmann and Christopher J. Mitchell

A Limitation of BAN Logic Analysis on a Man-in-the-middle Attack

On key control in key agreement protocols. 18th March Abstract

HOST Authentication Overview ECE 525

Authentication Part IV NOTE: Part IV includes all of Part III!

Secure Initial Access Authentication in WLAN

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Real-world security analyses of OAuth 2.0 and OpenID Connect

How to Break and Repair Leighton and Micali s Key Agreement Protocol

Building on existing security

Cryptographic Checksums

Using existing security infrastructures

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Proposed Modifications to CNS/ATM-1 Applications To Support Package-2 Security Services

Efficient Use of Random Delays

CS Protocol Design. Prof. Clarkson Spring 2017

Outline More Security Protocols CS 239 Computer Security February 6, 2006

Chapter 9: Key Management

Reliable Broadcast Message Authentication in Wireless Sensor Networks

City, University of London Institutional Repository. This version of the publication may differ from the final published version.

Error Oracle Attacks on CBC Mode:

A FAIR-EXCHANGE E-COMMERCE PROTOCOL WITH AUTOMATED DISPUTE RESOLUTION

INTRUSION RESPONSE SYSTEM TO AVOID ANOMALOUS REQUEST IN RDBMS

An Improved Remote User Authentication Scheme with Smart Cards using Bilinear Pairings

An Improved Timestamp-Based Password Authentication Scheme Using Smart Cards

An Energy-Efficient Symmetric Cryptography Based Authentication Scheme for Wireless Sensor Networks

Key Agreement. Guilin Wang. School of Computer Science, University of Birmingham

Nigori: Storing Secrets in the Cloud. Ben Laurie

WHITEPAPER. Vulnerability Analysis of Certificate Validation Systems

1 Defining Message authentication

A Vulnerability in the Song Authentication Protocol for Low-Cost RFID Tags

Security properties of two authenticated conference key agreement protocols

L7: Key Distributions. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

Outline More Security Protocols CS 239 Computer Security February 4, 2004

CIS 6930/4930 Computer and Network Security. Topic 7. Trusted Intermediaries

DAMAGE DISCOVERY IN DISTRIBUTED DATABASE SYSTEMS

Security protocols and their verification. Mark Ryan University of Birmingham

Use of Symmetric And Asymmetric Cryptography in False Report Filtering in Sensor Networks

History of message integrity techniques

Network Security Issues and Cryptography

Authenticated Key Agreement without Subgroup Element Verification

ID-based cryptography using symmetric primitives

A Mobile Host Protocol Supporting Route Optimization and Authentication

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

S. Erfani, ECE Dept., University of Windsor Network Security

2008 IEEE. Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes

A secure GSM-based electronic Murabaha transaction. 2. Background

Standard Specifications for Public Key Cryptography: Identity Based Key Agreement Scheme (IBKAS)

Security Analysis of Bluetooth v2.1 + EDR Pairing Authentication Protocol. John Jersin Jonathan Wheeler. CS259 Stanford University.

Prime Field over Elliptic Curve Cryptography for Secured Message Transaction

Exclusion-Freeness in Multi-party Exchange Protocols

Offline dictionary attack on TCG TPM weak authorisation data, and solution

Outline. More Security Protocols CS 239 Security for System Software April 22, Needham-Schroeder Key Exchange

Generic collision attacks on hash-functions and HMAC

The Modified Scheme is still vulnerable to. the parallel Session Attack

An Efficient Stream Cipher Using Variable Sizes of Key-Streams

Improving IP address autoconfiguration security in MANETs using trust modelling

Category: Informational March Methods for Avoiding the "Small-Subgroup" Attacks on the Diffie-Hellman Key Agreement Method for S/MIME

Preface. Structure of the Book

Logics of authentication

CHAPTER 4 VERIFIABLE ENCRYPTION OF AN ELLIPTIC CURVE DIGITAL SIGNATURE

Session key establishment protocols

Spring 2010: CS419 Computer Security

CS Protocols. Prof. Clarkson Spring 2016

Obsoletes: 2002 January 2002 Category: Standards Track

Session key establishment protocols

Digital Signature Generation using Fingerprint, Password and Smart Card

Topics. Dramatis Personae Cathy, the Computer, trusted 3 rd party. Cryptographic Protocols

Diffie-Hellman Protocol as a Symmetric Cryptosystem

CS 161 Computer Security

Introduction. Trusted Intermediaries. CSC/ECE 574 Computer and Network Security. Outline. CSC/ECE 574 Computer and Network Security.

Cryptography V: Digital Signatures

Cryptanalysis of a Markov Chain Based User Authentication Scheme

On the Security of a Certificateless Public-Key Encryption

Performance Analysis of AODV under Worm Hole Attack 1 S. Rama Devi, 2 K.Mamini, 3 Y.Bhargavi 1 Assistant Professor, 1, 2, 3 Department of IT 1, 2, 3

T Cryptography and Data Security

Lecture 1: Course Introduction

Imposing fairness in electronic commerce

Grouping-Proof Protocol for RFID Tags: Security Definition and Scalable Construction

Web Tap Payment Authentication and Encryption With Zero Customer Effort

CS408 Cryptography & Internet Security

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

1-7 Attacks on Cryptosystems

Overview. Cryptographic key infrastructure Certificates. May 13, 2004 ECS 235 Slide #1. Notation

Security Handshake Pitfalls

ACOS 3 Contact Card. Functional Specification. Subject to change without prior notice

Watermark-Based Authentication and Key Exchange in Teleconferencing Systems

BAN Logic. Logic of Authentication 1. BAN Logic. Source. The language of BAN. The language of BAN. Protocol 1 (Needham-Schroeder Shared-Key) [NS78]

Group Authentication Using The Naccache-Stern Public-Key Cryptosystem

Efficient RFID authentication scheme for supply chain applications

Cryptography and Network Security Chapter 13. Digital Signatures & Authentication Protocols

AIT 682: Network and Systems Security

Transcription:

Timestamps and authentication protocols Chris J. Mitchell Technical Report RHUL MA 2005 3 25 February 2005 Royal Holloway University of London Department of Mathematics Royal Holloway, University of London Egham, Surrey TW20 0EX, England http://www.rhul.ac.uk/mathematics/techreports

Abstract Timestamp-based authentication and key establishment protocols have received a number of criticisms, despite their potential efficiency advantages. The purpose of this paper is to propose a novel timestamp management method which has the potential to increase the scope of applicability of such protocols. Since timestamp-based protocols typically involve one less message than challenge-response protocols, the potential efficiency gains are considerable. 1 Introduction As has been widely discussed in the literature, see for example chapter 10 of [4], (entity) authentication protocols typically employ one of three types of time variant parameters: timestamps, sequence numbers and nonces. Protocols based on timestamps or sequence numbers typically require one less message than protocols based on nonces, and protocols based on the timestamps have the further advantage of being stateless 1, whereas the other two types of protocol are not. However, a number of problems with timestamp-based protocols have been widely reported see, for example, [2, 4]. One commonly reported problem is the difficulty in ensuring that the clocks held by the communicating parties are securely synchronised. In particular it is normally assumed that such protocols require there to be a reliable source of time within the network, and for all parties to conduct regular secure resynchronisation sessions with this reliable time source to ensure their clocks are correct. In this paper we reconsider the issue of clock synchronisation and suggest that the problems with such protocols may not be so serious after all. In particular, the need for routine resynchronisation with a reliable time source can be avoided. Note that this is potentially significant because, if timestamp-based protocols become practical in a wider range of environments, considerable efficiency savings may be realisable. 2 Timestamps reconsidered We start by making two key observations about timestamp-based authentication protocols. These observations are critical to our subsequent analysis. 1 Of course, the maintenance of a clock value could be regarded as state information, but it is typically provided by separate hardware and hence is not stored state in the normal sense of the term 1

Although it is necessary for the clocks held by a group of communicating devices to be synchronised, it is not necessary for the clocks to be correct. It is simply necessary that all the devices agree on the value of the current time for the purposes of authentication. If the clock values used for authentication purposes are only ever adjusted forwards, then replays of messages are prevented. Note that the second observation is based on the assumption that the normal safeguards are in place for the use of timestamp-based authentication protocols. That is, we are assuming that the clocks used by the communicating devices are not precisely synchronised, but that each device can safely assume that the differences in clock values are less than some threshold value T. Moreover, there is also an assumption that messages sent from one device to another are subject to a maximum transit delay of D. Then the recipient of a message, with current clock value of t c, will accept the message as fresh as long as the timestamp in the message (t m say) satisfies t c T D t m t c +T. This time acceptance interval, i.e. [t c T D,t c +T ] is sometimes referred to as the window of acceptance. Then, in order to detect message replays occurring within this window (and as in [1, 3, 4]), the message recipient must retain copies of all messages received and accepted within this window, and compare them with all newly received messages so as to detect replays. Note that it is only necessary to store a hash of each received message, and compare it with the hash of the newly received message, where the hashes are computed using a collision-resistant cryptographic hash-function (see, for example, [4]). We can now describe how these observations can be used to implement timestamp-based authentication protocols in a simple way, even when there is no reliable source of time within the network. 3 A new implementation scenario We start by making some assumptions about the operation of each device within a group of communicating devices. We suppose that each device within a group of communicating devices possesses a clock that is reasonably reliable (e.g. accurate to within a few seconds a day). This is not an unreasonable assumption in many scenarios; for example, many mobile network devices, including many if not most mobile phones, and almost all PCs and electronic organisers (personal digital assistants), have such a clock. 2

We next suppose that a timestamp-based authentication and/or key establishment protocol is used between pairs of devices within this network. It is not important to the discussion here exactly how this protocol operates indeed it could be based on shared secrets, e.g. using an online trusted third party, or on public/private key pairs and an associated Public Key Infrastructure. We assume only that the protocol uses timestamps to guarantee the freshness of messages, and that the protocol is designed in such a way that the recipient of a timestamped protocol message can guarantee its origin and integrity by cryptographic means. We further suppose that each device maintains a clock offset value, used purely for the purposes of entity authentication and/or key establishment. Specifically, the time value used for security protocol purposes is always the sum of the clock value and the clock offset value. If the clock value is ever adjusted, then the clock offset value must also be adjusted to ensure that the sum of the clock value and the clock offset is never decreased. This would most easily be achieved by ensuring that if the clock value is moved back by δ seconds, then the offset is simultaneously increased by δ seconds. To avoid unnecessary increases in the sum of the clock value and the offset, we also suppose that the offset is reduced by δ seconds whenever the clock is moved forward by δ seconds. Since, as we describe below, the clock offset value is never reduced (except as described immediately above), the sum of the clock value and the clock offset never decreases (cf. Section 2). We now consider how a device uses timestamps within the authentication (or key establishment) protocol. We separate our discussion into two parts: receipt of messages, where the timestamp is used to decide whether or not to accept a received message, and transmission of messages, where a timestamp is generated and inserted into the message. When a device receives a protocol message containing a (protected) timestamp, this timestamp is compared with the current clock value for the device in the following way. Suppose the timestamp in the message is t m, the current clock value is t c, the current clock offset value (stored within the device) is t o, and T and D are as above. Then the message is accepted as fresh as long as the following inequality holds: t c + t o T D t m. Moreover, if t m > t c + t o, then t m t c t o is added to the clock offset value. When a device sends a protocol message containing a timestamp, this timestamp is set equal to t c + t o. 3

4 Analysis and failure handling We now consider how this timestamp management process provides the required freshness checking for protocol messages. First note that, as in Section 2, we suppose that every device maintains a list of all messages received with a timestamp t m satisfying t c +t o T D t m. As soon as the timestamp t m in a stored message no longer satisfies this inequality it can be discarded. Every received message is compared with the current list of stored messages, and discarded if it matches. Since the value t c +t o never decreases, and given that T and D are fixed, it should be clear that once a message has been successfully received by a device, any replay of this message will be rejected. This is the primary objective of freshness checking. This has been achieved without any assumptions about routine clock resynchronisation. Of course, there is a danger that, if device A s clock+offset value is significantly in advance of the clock+offset value of device B, all messages sent from B to A will be rejected. This situation could arise if there is no routine clock resynchronisation and messages are sent between devices relatively infrequently. There are a number of ways in which this could be dealt with. We mention two possible approaches. 1. The first solution would be for the recipient of any message which is rejected because of an old timestamp to respond to the message sender with a cryptographically protected timestamp equal to t c + t o. (This of course assumes that the cryptographic keys necessary for such a transfer are in place). When the sender of the failed message receives this message, it will increase its clock offset appropriately, as in Section 3. 2. The second solution would involve the message recipient informing a third party about the problem, e.g. a network management entity, who would then send an appropriate message to the originating device, causing it to update its clock offset. 5 Hazards and countermeasures We now consider how the scheme described above might go wrong. Clock failures. The first and perhaps most obvious problem we consider is where the clock within one device in the network fails catastrophically. By catastrophically we mean that the sum of the clock value and the clock offset is set equal to a very large value somewhere close to the maximum possible. Every time this failed device 4

sends a message, the recipient will be obliged to reset its clock offset to the largest possible value, and this situation may rapidly disseminate across the network. Once the maximum clock value is reached, the whole network will potentially fail. There are a number of possible means that can be used to avoid such a catastrophic situation. Firstly, we can impose restrictions on the size of any increase in the clock offset value. If the difference is too large to be credible, an error message can be generated and sent to either the message originator or a network management entity (or both). Secondly, we can modify the system so that clock offset values are not routinely updated as described in Section 3. If the recipient of a message (A say) finds that t m > t c + t o, then there are two possible cases. If t m t c t o is less than some defined threshold then no action is taken by A (i.e. if the clock on the sending device is just slightly ahead of the clock of A, then no adjustments are made). However, if t m t c t o is greater than the threshold value then A sends a request to a trusted third party (TTP) for a time resynchronisation. This TTP will respond with a cryptographically protected timestamp, which can be used to update the clock offset of A. In such a situation, if some of the network devices have clock values in advance of this TTP, then these devices will not be able to receive messages from other entities in the network. This problem could be avoided by requiring such devices to conduct a nonce-based resynchronisation with the TTP. In such a circumstance (and only in this situation) these devices would be required to change their clock offset so that the sum t c + t o is reduced. Malicious clock manipulation. The clock failure scenario is essentially an accidental Denial of Service (DoS) attack. There are also variants of this which may arise through deliberate manipulation of a genuine member of a network. That is, a malicious entity could deliberately cause clock offsets to be systematically increased to ultimately give rise to a DoS. If clock offset adjustments are size limited, then the malicious attacker could bypass this protection by arranging for a large number of smaller clock increments. However, the second countermeasure to a failed clock prevents this attack, at the cost of increased network traffic. (Note that the messages to the TTP could also enable such attacks to be detected). Postdated message ( suppress replay ) attack. We now consider a problem first described by Gong [2]. Essentially, suppose the clock 5

value added to the clock offset for device A is substantially ahead of the corresponding value for device B. Then a message sent from A to B can be forcibly delayed by a considerable period of time without detection by B. Indeed, by the time the message arrives at B, A may no longer be live, which, if the protocol is providing entity authentication, can be regarded as a protocol failure. Dealing with such a situation is very difficult indeed. However, such an attack will probably only be a problem in certain circumstances. Indeed, if the protocol is being used for key establishment at the start of a secure session, then this attack is most unlikely to be an issue. The conclusion is that a timestamp-based protocol should only be used with care, but the same is true of almost every security solution. 6 Concluding remarks There are some similarities between the timestamp management proposal described here to a previous proposal to use timestamps to generate sequence numbers (see [5]). However, this latter scheme was designed for use in a particular type of network, namely where a single server entity communicates with a large number of client entities, and clients do not intercommunicate. The solution described here is not specific to such a network architecture. The solution described enables timestamp based protocols to be used in the absence of routine clock resynchronisations. There are possible problems with DoS attacks, and also with suppress replay attacks. However, depending on the environment in which the protocol is used, these problems may not be significant. For networks where devices have limited communications resources, e.g. mobile and ad hoc networks, the proposed timestamp management scheme may be an efficient alternative to the use of nonce-based protocols. References [1] L. Chen, D. Gollmann, and C. Mitchell. Tailoring authentication protocols to match underlying mechanisms. In J. Pieprzyk and J. Seberry, editors, Information Security and Privacy Proceedings: First Australasian Conference, Wollongong, NSW, Australia, June 1996, pages 121 133. Springer-Verlag, Berlin, 1996. [2] L. Gong. A security risk of depending on synchronised clocks. ACM Operating Systems Review, 26(1):49 53, January 1992. 6

[3] K.-Y. Lam. Building an authentication service for distributed systems. Journal of Computer Security, 2:73 84, 1993. [4] A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone. Handbook of Applied Cryptography. CRC Press, Boca Raton, 1997. [5] C. J. Mitchell. Making serial number based authentication robust against loss of state. ACM Operating Systems Review, 34(3):56 59, July 2000. 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback