CSC 474/574 Information Systems Security

Similar documents
Authentication Handshakes

CIS 6930/4930 Computer and Network Security. Topic 6.2 Authentication Protocols

CSCI 667: Concepts of Computer Security. Lecture 9. Prof. Adwait Nadkarni

Security Handshake Pitfalls

6. Security Handshake Pitfalls Contents

Outline. Login w/ Shared Secret: Variant 1. Login With Shared Secret: Variant 2. Login Only Authentication (One Way) Mutual Authentication

Security Handshake Pitfalls

Security Handshake Pitfalls

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

Security Handshake Pitfalls

10/1/2015. Authentication. Outline. Authentication. Authentication Mechanisms. Authentication Mechanisms. Authentication Mechanisms

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Network Security CHAPTER 31. Solutions to Review Questions and Exercises. Review Questions

Elements of Security

CSC/ECE 774 Advanced Network Security

Spring 2010: CS419 Computer Security

User Authentication Protocols Week 7

CSC 774 Network Security

Introduction. Trusted Intermediaries. CSC/ECE 574 Computer and Network Security. Outline. CSC/ECE 574 Computer and Network Security.

L7: Key Distributions. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

Cryptographic Protocols 1

User Authentication Protocols

Password. authentication through passwords

Cryptographic Checksums

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena

Authentication Protocols. Outline. Who Is Authenticated?

CS 494/594 Computer and Network Security

CIS 6930/4930 Computer and Network Security. Topic 7. Trusted Intermediaries

Session key establishment protocols

Chapter 9: Key Management

Session key establishment protocols

CIS 6930/4930 Computer and Network Security. Final exam review

Real-time protocol. Chapter 16: Real-Time Communication Security

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

AIT 682: Network and Systems Security

Overview. Cryptographic key infrastructure Certificates. May 13, 2004 ECS 235 Slide #1. Notation

Security and Privacy in Computer Systems. Lecture 7 The Kerberos authentication system. Security policy, security models, trust Access control models

Outline More Security Protocols CS 239 Computer Security February 6, 2006

Trusted Intermediaries

AIT 682: Network and Systems Security

EEC-682/782 Computer Networks I

Computer Networks & Security 2016/2017

Outline. More Security Protocols CS 239 Security for System Software April 22, Needham-Schroeder Key Exchange

CPSC 467b: Cryptography and Computer Security

Outline More Security Protocols CS 239 Computer Security February 4, 2004

Fall 2010/Lecture 32 1

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

Information Security CS 526

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Lecture 1: Course Introduction

Authentication. Strong Password Protocol. IT352 Network Security Najwa AlGhamdi

Security protocols and their verification. Mark Ryan University of Birmingham

Network Security Chapter 8

What did we talk about last time? Public key cryptography A little number theory

CS Protocols. Prof. Clarkson Spring 2016

Computer Security 4/12/19

Distributed Systems Principles and Paradigms

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

CSC 5930/9010 Modern Cryptography: Public Key Cryptography

Ideal Security Protocol. Identify Friend or Foe (IFF) MIG in the Middle 4/2/2012

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

Kerberos and Public-Key Infrastructure. Key Points. Trust model. Goal of Kerberos

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Strong Password Protocols

CSC 482/582: Computer Security. Security Protocols

Key Establishment and Authentication Protocols EECE 412

Other Uses of Cryptography. Cryptography Goals. Basic Problem and Terminology. Other Uses of Cryptography. What Can Go Wrong? Why Do We Need a Key?

(2½ hours) Total Marks: 75

CS3235 Seventh set of lecture slides

Key Establishment. Chester Rebeiro IIT Madras. Stinson : Chapter 10

1 Identification protocols

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Acknowledgments. CSE565: Computer Security Lectures 16 & 17 Authentication & Applications

Contents Digital Signatures Digital Signature Properties Direct Digital Signatures

Chapter 8. Network Security. Cryptography. Need for Security. An Introduction to Cryptography 10/7/2010

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to talk so much?!? Content taken from the following:

CS Protocol Design. Prof. Clarkson Spring 2017

This chapter examines some of the authentication functions that have been developed to support network-based use authentication.

CSC 474/574 Information Systems Security

Cryptography and Network Security

Cryptography and Network Security Chapter 13. Digital Signatures & Authentication Protocols

Network Security. Chapter 8. MYcsvtu Notes.

Test 2 Review. (b) Give one significant advantage of a nonce over a timestamp.

Datasäkerhetsmetoder föreläsning 7

Authentication in real world: Kerberos, SSH and SSL. Zheng Ma Apr 19, 2005

Chapter 8. Network Security. Need for Security. An Introduction to Cryptography. Transposition Ciphers One-Time Pads

INFSCI 2935: Introduction of Computer Security 1. Courtesy of Professors Chris Clifton & Matt Bishop. INFSCI 2935: Introduction to Computer Security 2

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

8.7 Authentication Protocols

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

CIS 4360 Secure Computer Systems Applied Cryptography

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

Session Key Distribution

Authentication Protocols

Topics. Dramatis Personae Cathy, the Computer, trusted 3 rd party. Cryptographic Protocols

CS 161 Computer Security

Transcription:

CSC 474/574 Information Systems Security Topic 3.3: Security Handshake Pitfalls CSC 474/574 Dr. Peng Ning 1 Authentication Handshakes Secure communication almost always includes an initial authentication handshake. Authenticate each other Establish session keys This process is not trivial; flaws in this process undermines secure communication This topic is about typical flaws CSC 474/574 Dr. Peng Ning 2

Authentication with Shared Secret I m A challenge R f(k -, R) Weaknesses Authentication is not mutual; Trudy can convince that she is Trudy can hijack the conversation after the initial exchange If the shared key is derived from a password, Trudy can mount an off-line password guessing attack Trudy may compromise s database and later impersonate CSC 474/574 Dr. Peng Ning 3 Authentication with Shared Secret (Cont d) I m K - {R} R A variation Requires reversible cryptography Other variations are possible Weaknesses All the previous weaknesses remain Trudy doesn t have to see R to mount off-line password guessing if R has certain patterns (e.g., concatenated with a timestamp) Trudy sends a message to, pretending to be CSC 474/574 Dr. Peng Ning 4

Authentication with Public Key I m R Sig {R} s database is less risky Weaknesses Authentication is not mutual; Trudy can convince that she is Trudy can hijack the conversation after the initial exchange Trudy can trick into signing something Use different private key for authentication CSC 474/574 Dr. Peng Ning 5 Authentication with Public Key (Cont d) I m {R} R A variation CSC 474/574 Dr. Peng Ning 6

Mutual Authentication I m R 1 f(k -, R 1 ) R 2 f(k -, R 2 ) Optimize I m, R 2 R 1, f(k -, R 2 ) f(k -, R 1 ) CSC 474/574 Dr. Peng Ning 7 Mutual Authentication (Cont d) Reflection attack Trudy I m, R 2 R 1, f(k -, R 2 ) f(k -, R 1 ) Trudy I m, R 1 R 3, f(k -, R 1 ) CSC 474/574 Dr. Peng Ning 8

Reflection Attacks (Con td) Lesson: Don t have and do exactly the same thing Different keys Totally different keys K - = K - + 1 Different Challenges The initiator should be the first to prove its identity Assumption: initiator is more likely to be the bad guy CSC 474/574 Dr. Peng Ning 9 Mutual Authentication (Cont d) Password guessing I m, R 2 R 1, f(k -, R 2 ) f(k -, R 1 ) I m R 1 Countermeasure f(k -, R 1 ), R 2 f(k -, R 2 ) CSC 474/574 Dr. Peng Ning 10

Mutual Authentication (Cont d) Public keys Authentication of public keys is a critical issue I m, {R 2 } R 2, {R 1 } R 1 CSC 474/574 Dr. Peng Ning 11 Mutual Authentication (Cont d) Mutual authentication with timestamps Require synchronized clocks and have to encrypt different timestamps I m, f(k -, timestamp) f(k -, timestamp+1) CSC 474/574 Dr. Peng Ning 12

Integrity/Encryption for Data Communication after mutual authentication should be cryptographically protected as well Require a session key established during mutual authentication CSC 474/574 Dr. Peng Ning 13 Establishment of Session Keys Secret key based authentication Assume the above authentication happened. Can we use K - {R} as the session key? Can we use K - {R+1}as the session key? In general, modify K - and encrypt R. Use the result as the session key I m R K - {R} CSC 474/574 Dr. Peng Ning 14

Establishment of Session Keys (Cont d) Two-way public key based authentication chooses a random number R, encrypts it with s public key Trudy may hijack the conversation encrypts and signs R Trudy may save all the traffic, and decrypt all the encrypted traffic when she is able to compromise Less severe threat CSC 474/574 Dr. Peng Ning 15 Two-Way Public Key Based Authentication (Cont d) A better approach chooses and encrypts R 1 with s public key chooses and encrypts R 2 with s public key Session key is R 1 R 2 Trudy will have to compromise both and An even better approach and estatlish the session key with Diffie- Hellman key exchange and signs the quantity they send Trudy can t learn anything about the session key even if she compromises both and CSC 474/574 Dr. Peng Ning 16

Establishment of Session Keys (Cont d) One-way public key based authentication It s only necessary to authenticate the service Example: SSL Encrypt R with s public key Diffie-Hellman key exchange signs the D-H public key CSC 474/574 Dr. Peng Ning 17 Mediated Authentication (With KDC) KDC operation (in principle) wants K KDC {K AB } K {K AB } Generate K AB Some concerns Trudy may claim to be and talk to KDC Trudy cannot get anything useful Messages encrypted by may get to before KDC s message It may be difficult for KDC to connect to CSC 474/574 Dr. Peng Ning 18

Mediated Authentication (With KDC) KDC operation (in practice) Generate K wants AB KDC K {K AB }, K {K AB } K {K AB } ticket Must be followed by a mutual authentication exchange To confirm that and have the same key CSC 474/574 Dr. Peng Ning 19 Needham-Schroeder Protocol Classic protocol for authentication with KDC Many others have been modeled after it (e.g., Kerberos) Nonce: A number that is used only once Deal with replay attacks N 1, wants K {N 1,, K AB, ticket to }, where ticket to = K {K AB, } ticket to, K AB {N 2 } K AB {N 2 1, N 3 } K AB {N 3 1} Generate K AB KDC CSC 474/574 Dr. Peng Ning 20

Needham-Schroeder Protocol (Cont d) A vulnerability When Trudy gets a previous key used by, Trudy may reuse a previous ticket issued to for Essential reason The ticket to stays valid even if changes her key CSC 474/574 Dr. Peng Ning 21 Expanded Needham-Schroeder Protocol I want to talk to you K {N B } N 1, wants, K {N B } K {N 1,, K AB, ticket to }, where ticket to = K {K AB,, N B } Generate K AB ; extract N B KDC ticket to, K AB {N 2 } K AB {N 2 1, N 3 } K AB {N 3 1} The additional two messages assure that the initiator has talked to KDC since generates N B CSC 474/574 Dr. Peng Ning 22

Otway-Rees Protocol N C,,, K {N A, N C,, } Generate K AB Extract N B KDC K {N A, N C,, }, K {N B, N C,, } N C, K {N A, K AB }, K {N B, K AB } K {N A, K AB } K AB {anything recognizable} Only has five messages KDC checks if N C matches in both cipher-texts Make sure that is really CSC 474/574 Dr. Peng Ning 23

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback