CSC 474/574 Information Systems Security Topic 3.3: Security Handshake Pitfalls CSC 474/574 Dr. Peng Ning 1 Authentication Handshakes Secure communication almost always includes an initial authentication handshake. Authenticate each other Establish session keys This process is not trivial; flaws in this process undermines secure communication This topic is about typical flaws CSC 474/574 Dr. Peng Ning 2
Authentication with Shared Secret I m A challenge R f(k -, R) Weaknesses Authentication is not mutual; Trudy can convince that she is Trudy can hijack the conversation after the initial exchange If the shared key is derived from a password, Trudy can mount an off-line password guessing attack Trudy may compromise s database and later impersonate CSC 474/574 Dr. Peng Ning 3 Authentication with Shared Secret (Cont d) I m K - {R} R A variation Requires reversible cryptography Other variations are possible Weaknesses All the previous weaknesses remain Trudy doesn t have to see R to mount off-line password guessing if R has certain patterns (e.g., concatenated with a timestamp) Trudy sends a message to, pretending to be CSC 474/574 Dr. Peng Ning 4
Authentication with Public Key I m R Sig {R} s database is less risky Weaknesses Authentication is not mutual; Trudy can convince that she is Trudy can hijack the conversation after the initial exchange Trudy can trick into signing something Use different private key for authentication CSC 474/574 Dr. Peng Ning 5 Authentication with Public Key (Cont d) I m {R} R A variation CSC 474/574 Dr. Peng Ning 6
Mutual Authentication I m R 1 f(k -, R 1 ) R 2 f(k -, R 2 ) Optimize I m, R 2 R 1, f(k -, R 2 ) f(k -, R 1 ) CSC 474/574 Dr. Peng Ning 7 Mutual Authentication (Cont d) Reflection attack Trudy I m, R 2 R 1, f(k -, R 2 ) f(k -, R 1 ) Trudy I m, R 1 R 3, f(k -, R 1 ) CSC 474/574 Dr. Peng Ning 8
Reflection Attacks (Con td) Lesson: Don t have and do exactly the same thing Different keys Totally different keys K - = K - + 1 Different Challenges The initiator should be the first to prove its identity Assumption: initiator is more likely to be the bad guy CSC 474/574 Dr. Peng Ning 9 Mutual Authentication (Cont d) Password guessing I m, R 2 R 1, f(k -, R 2 ) f(k -, R 1 ) I m R 1 Countermeasure f(k -, R 1 ), R 2 f(k -, R 2 ) CSC 474/574 Dr. Peng Ning 10
Mutual Authentication (Cont d) Public keys Authentication of public keys is a critical issue I m, {R 2 } R 2, {R 1 } R 1 CSC 474/574 Dr. Peng Ning 11 Mutual Authentication (Cont d) Mutual authentication with timestamps Require synchronized clocks and have to encrypt different timestamps I m, f(k -, timestamp) f(k -, timestamp+1) CSC 474/574 Dr. Peng Ning 12
Integrity/Encryption for Data Communication after mutual authentication should be cryptographically protected as well Require a session key established during mutual authentication CSC 474/574 Dr. Peng Ning 13 Establishment of Session Keys Secret key based authentication Assume the above authentication happened. Can we use K - {R} as the session key? Can we use K - {R+1}as the session key? In general, modify K - and encrypt R. Use the result as the session key I m R K - {R} CSC 474/574 Dr. Peng Ning 14
Establishment of Session Keys (Cont d) Two-way public key based authentication chooses a random number R, encrypts it with s public key Trudy may hijack the conversation encrypts and signs R Trudy may save all the traffic, and decrypt all the encrypted traffic when she is able to compromise Less severe threat CSC 474/574 Dr. Peng Ning 15 Two-Way Public Key Based Authentication (Cont d) A better approach chooses and encrypts R 1 with s public key chooses and encrypts R 2 with s public key Session key is R 1 R 2 Trudy will have to compromise both and An even better approach and estatlish the session key with Diffie- Hellman key exchange and signs the quantity they send Trudy can t learn anything about the session key even if she compromises both and CSC 474/574 Dr. Peng Ning 16
Establishment of Session Keys (Cont d) One-way public key based authentication It s only necessary to authenticate the service Example: SSL Encrypt R with s public key Diffie-Hellman key exchange signs the D-H public key CSC 474/574 Dr. Peng Ning 17 Mediated Authentication (With KDC) KDC operation (in principle) wants K KDC {K AB } K {K AB } Generate K AB Some concerns Trudy may claim to be and talk to KDC Trudy cannot get anything useful Messages encrypted by may get to before KDC s message It may be difficult for KDC to connect to CSC 474/574 Dr. Peng Ning 18
Mediated Authentication (With KDC) KDC operation (in practice) Generate K wants AB KDC K {K AB }, K {K AB } K {K AB } ticket Must be followed by a mutual authentication exchange To confirm that and have the same key CSC 474/574 Dr. Peng Ning 19 Needham-Schroeder Protocol Classic protocol for authentication with KDC Many others have been modeled after it (e.g., Kerberos) Nonce: A number that is used only once Deal with replay attacks N 1, wants K {N 1,, K AB, ticket to }, where ticket to = K {K AB, } ticket to, K AB {N 2 } K AB {N 2 1, N 3 } K AB {N 3 1} Generate K AB KDC CSC 474/574 Dr. Peng Ning 20
Needham-Schroeder Protocol (Cont d) A vulnerability When Trudy gets a previous key used by, Trudy may reuse a previous ticket issued to for Essential reason The ticket to stays valid even if changes her key CSC 474/574 Dr. Peng Ning 21 Expanded Needham-Schroeder Protocol I want to talk to you K {N B } N 1, wants, K {N B } K {N 1,, K AB, ticket to }, where ticket to = K {K AB,, N B } Generate K AB ; extract N B KDC ticket to, K AB {N 2 } K AB {N 2 1, N 3 } K AB {N 3 1} The additional two messages assure that the initiator has talked to KDC since generates N B CSC 474/574 Dr. Peng Ning 22
Otway-Rees Protocol N C,,, K {N A, N C,, } Generate K AB Extract N B KDC K {N A, N C,, }, K {N B, N C,, } N C, K {N A, K AB }, K {N B, K AB } K {N A, K AB } K AB {anything recognizable} Only has five messages KDC checks if N C matches in both cipher-texts Make sure that is really CSC 474/574 Dr. Peng Ning 23