L7: Key Distributions. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

Similar documents
Cryptographic Checksums

Chapter 9: Key Management

Spring 2010: CS419 Computer Security

Overview. Cryptographic key infrastructure Certificates. May 13, 2004 ECS 235 Slide #1. Notation

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Topics. Dramatis Personae Cathy, the Computer, trusted 3 rd party. Cryptographic Protocols

Chapter 10: Key Management

CSC 482/582: Computer Security. Security Protocols

What did we talk about last time? Public key cryptography A little number theory

L8: Public Key Infrastructure. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

INFSCI 2935: Introduction of Computer Security 1. Courtesy of Professors Chris Clifton & Matt Bishop. INFSCI 2935: Introduction to Computer Security 2

Information Security & Privacy

Network Security CHAPTER 31. Solutions to Review Questions and Exercises. Review Questions

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Authentication Handshakes

Elements of Security

CSC 474/574 Information Systems Security

Key Management CS461/ECE422

Fun with Crypto keys and protocols. some Bishop, some Jim, some RA

CSCI 667: Concepts of Computer Security. Lecture 9. Prof. Adwait Nadkarni

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

CIS 6930/4930 Computer and Network Security. Topic 6.2 Authentication Protocols

Security Handshake Pitfalls

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

Chapter 10 : Private-Key Management and the Public-Key Revolution

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

Outline More Security Protocols CS 239 Computer Security February 6, 2006

Outline. Login w/ Shared Secret: Variant 1. Login With Shared Secret: Variant 2. Login Only Authentication (One Way) Mutual Authentication

Session Key Distribution

CS Protocol Design. Prof. Clarkson Spring 2017

L1: Computer Security Overview. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

Cryptographic Protocols 1

T Cryptography and Data Security

L9: Stream and Block Ciphers. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

CS Protocols. Prof. Clarkson Spring 2016

Session key establishment protocols

Session key establishment protocols

Lecture 1: Course Introduction

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Network Security (NetSec)

Outline. More Security Protocols CS 239 Security for System Software April 22, Needham-Schroeder Key Exchange

Cryptology Part 1. Terminology. Basic Approaches to Cryptography. Basic Approaches to Cryptography: (1) Transposition (continued)

Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena

1 Identification protocols

Key Agreement. Guilin Wang. School of Computer Science, University of Birmingham

L3: Basic Cryptography II. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

Key Establishment and Authentication Protocols EECE 412

Applied Cryptography Basic Protocols

Outline More Security Protocols CS 239 Computer Security February 4, 2004

User Authentication Protocols Week 7

Introduction to Cryptography. Ramki Thurimella

Grenzen der Kryptographie

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Introduction to SSL. Copyright 2005 by Sericon Technology Inc.

Outline Key Management CS 239 Computer Security February 9, 2004

Digital Signatures. Secure Digest Functions

6. Security Handshake Pitfalls Contents

Key Establishment. Chester Rebeiro IIT Madras. Stinson : Chapter 10

2.1 Basic Cryptography Concepts

Exercises with solutions, Set 3

Module: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

Security Handshake Pitfalls

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

ECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

Security protocols and their verification. Mark Ryan University of Birmingham

Datasäkerhetsmetoder föreläsning 7

User Authentication Protocols

Computer Security. 10. Exam 2 Review. Paul Krzyzanowski. Rutgers University. Spring 2017

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Introduction. Trusted Intermediaries. CSC/ECE 574 Computer and Network Security. Outline. CSC/ECE 574 Computer and Network Security.

CS3235 Seventh set of lecture slides

Security Handshake Pitfalls

Information Security CS 526

Security and Privacy in Computer Systems. Lecture 7 The Kerberos authentication system. Security policy, security models, trust Access control models

Acknowledgments. CSE565: Computer Security Lectures 16 & 17 Authentication & Applications

From Coulouris, Dollimore and Kindberg Distributed Systems: Concepts and Design. Edition 4 Pearson Education 2005

Security Handshake Pitfalls

Fall 2010/Lecture 32 1

Applied Cryptography and Computer Security CSE 664 Spring 2017

Cryptography and Network Security Chapter 14

22-security.txt Tue Nov 27 09:13: Notes on Security Protocols , Fall 2012 Carnegie Mellon University Randal E.

CSC 774 Network Security

Course Administration

CIS 6930/4930 Computer and Network Security. Topic 7. Trusted Intermediaries

Trusted Intermediaries

AIT 682: Network and Systems Security

The Kerberos Authentication System Course Outline

Authentication Protocols

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

Modelling and Analysing of Security Protocol: Lecture 1. Introductions to Modelling Protocols. Tom Chothia CWI

L17: Assurance. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

ECEN 5022 Cryptography

CPSC 467: Cryptography and Computer Security

User Authentication. Modified By: Dr. Ramzi Saifan

Public-key Cryptography: Theory and Practice

CS 161 Computer Security

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to share so many secrets?!?

Transcription:

L7: Key Distributions Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806 9/16/2015 CSCI 451 - Fall 2015 1

Acknowledgement Many slides are from or are revised from the slides of the author of the textbook Matt Bishop, Introduction to Computer Security, Addison- Wesley Professional, October, 2004, ISBN-13: 978-0-321-24774-5. Introduction to Computer Security @ VSU's Safari Book Online subscription http://nob.cs.ucdavis.edu/book/book-intro/slides/ 9/16/2015 CSCI 451 - Fall 2015 2

Outline Key exchange: session vs. interchange keys Classical cryptographic key exchange and authentication Protocol evolution Needham-Schroeder Otway-Rees Key freshness, authentication, and replay attack Public key cryptographic key exchange and authentication Protocol evolution Man-in-the-middle attack 9/16/2015 CSCI 451 - Fall 2015 3

Key Management Distributions of cryptographic keys Mechanisms used to bind an identity to a key Generation, maintenance, and revoking the keys Assumption and definition Meaning of a user s key e.g., Bob s key: a key bound to the identify Bob Assume that authentication has been completed and that identify is assigned Chapter 11 Authentication Chapter 13. Representing Identify 9/16/2015 CSCI 451 - Fall 2015 4

Notation X Y : { Z W } kx,y X sends Y the message produced by concatenating Z and W enciphered by key k X,Y, which is shared by users X and Y A T : { Z } ka { W } ka,t A sends T a message consisting of the concatenation of Z enciphered using k A, A s key, and W enciphered using k A,T, the key shared by A and T r 1, r 2 : nonces, i.e., nonrepeating random numbers Alice, Bob: commonly used placeholder names in cryptography and computer security 9/16/2015 CSCI 451 - Fall 2015 5

Session and Interchange Keys Interchange key A cryptographic key associated with a principal to a communication Session key A cryptographic key associated with the communication itself 9/16/2015 CSCI 451 - Fall 2015 6

Example Alice wants to send a message m to Bob Assume public key encryption Alice generates a random cryptographic key k s and uses it to encipher m To be used for this message only k s called a session key: may change each communication She enciphers k s with Bob s public key k B k B enciphers all session keys Alice uses to communicate with Bob k B called an interchange key: do not change often Alice sends to Bob {m} ks {k s } kb 9/16/2015 CSCI 451 - Fall 2015 7

Session Key: Benefits Make cryptanalysis more difficult Limits amount of traffic enciphered with single key Standard practice is to decrease the amount of traffic an attacker can obtain Prevents some attacks Replay attack Forward search attack 9/16/2015 CSCI 451 - Fall 2015 8

Forward Searches A forward search attack Precomputed ciphertexts The adversary enciphers all plaintexts using the target s public key Intercept and compare The adversary intercepts a ciphertext and compare with the precomputed ciphertexts to quickly obtain the plaintext. Effective when the set of plaintext messages is small Example Alice will send Bob message that is either BUY or SELL. Eve computes possible ciphertexts { BUY } k B and { SELL } k B. Eve intercepts enciphered message, compares, and gets plaintext at once 9/16/2015 CSCI 451 - Fall 2015 9

Exercise L7-1 Recap: session key prevents forward search attack Question 1 in page 142 of the textbook 9/16/2015 CSCI 451 - Fall 2015 10

Key Exchange Goal: let Alice and Bob get shared key Design criteria Key cannot be transmitted in the clear Attackers can listen in Key can be transmitted enciphered, or derived from exchanged data plus data not known to an eavesdropper Alice, Bob may trust a third party, Cathy All cryptosystems, protocols publicly known Only secret is the keys, ancillary information known only to Alice and Bob needed to derive keys Anything transmitted is assumed known to attackers 9/16/2015 CSCI 451 - Fall 2015 11

Key Exchange Classical Cryptographic Key Exchange For classical cryptographic approaches Classical cryptographic approaches rely on a secrete key that shared between the two communicating parties. Require effort to authenticate the origin of the key Public Key Cryptographic Key Exchange For public key cryptographic approaches Public key is readily to be shared Require effort to authenticate the origin of the public key 9/16/2015 CSCI 451 - Fall 2015 12

Classical Cryptographic Key Exchange Algorithms Goal: let Alice and Bob get their shared key The shared key allows the secrete communication between Alice and Bob using a classical cryptographic method Key exchange algorithms go through multiple attack & fix cycles Protocol attack fix new protocol attack fix 9/16/2015 CSCI 451 - Fall 2015 13

Recap of Design Criteria Key cannot be transmitted in the clear Otherwise, an attacker can listen in Key can be sent enciphered, or derived from exchanged data plus data not known to an eavesdropper All cryptosystems, protocols publicly known Only secret data is the keys, ancillary information known only to Alice and Bob needed to derive keys Anything transmitted is assumed known to attacker Alice and Bob may trust a third party (called Cathy here) 9/16/2015 CSCI 451 - Fall 2015 14

Bootstrap Problem Alice cannot transmit the key to Bob in the clear! how do Alice and Bob begin? 9/16/2015 CSCI 451 - Fall 2015 15

With or Without 3 rd Party Example: share key via arranged physical meetings Without the 3 rd party With the 3 rd party 9/16/2015 CSCI 451 - Fall 2015 16

Trusted 3 rd Party Assume trusted third party, Cathy Alice and Cathy share secret key k A Bob and Cathy share secret key k B Rely on Cathy to exchange shared session key k s 9/16/2015 CSCI 451 - Fall 2015 17

Simple Protocol Alice wants to start a secrete communication with Bob 1 Alice { request for session key to Bob } ka Cathy 2 Alice { k s } ka { k s } kb Cathy Key Exchange Protocol 3 Alice { k s } kb Bob Alice { M } ks Bob 9/16/2015 CSCI 451 - Fall 2015 18

Simple Protocol: Replay Attack Bob does not know to whom he is talking Replay attack Alice transmits to Bob an enciphered message, e.g., { Deposit $500 in Dan s bank account today } ks Eve eavesdrops the communication and records the message and { k s } kb Eve later replays { k s } kb followed by { Deposit $500 in Dan s bank account today } ks Bob may think he is talking to Alice, but he is not. He is actually talking to Eve 9/16/2015 CSCI 451 - Fall 2015 19

Simple Protocol: Replay Attack 1 2 3 Alice Alice Alice { request for session key to Bob } ka { k s } ka { k s } kb { k s } kb Cathy Cathy Bob Key Exchange Protocol Eve 4 Alice { Deposit $500 in Dan s bank account} ks Bob Eve Eve eavesdropping 5 Eve Eve { k s } kb { Deposit $500 in Dan s bank account} ks Bob Bob Replay attack by Eve 9/16/2015 CSCI 451 - Fall 2015 20

Simple Protocol: Problems Replay attack Bob does not know to whom he is talking. Eve can record and replay messages Session key reuse When Eve replays message from Alice to Bob, Bob reuses session key Protocols must provide authentication and defense against replay 9/16/2015 CSCI 451 - Fall 2015 21

Needham-Schroeder Protocol Adds authentication with random nonces 1 Alice Alice Bob r 1 Cathy 2 Alice { Alice Bob r 1 k s { Alice k s } kb } ka Cathy 3 Alice { Alice k s } kb Bob 4 Alice { r 2 } ks Bob 5 Alice { r 2 1 } ks Bob 9/16/2015 CSCI 451 - Fall 2015 22

Authentications via Key Sharing and Nonces Alice needs to know she is talking to Cathy and Bob Bob needs to know he is talking to Alice How? Nonces: non-repeating random numbers r 1 and r 2 Key sharing: shared keys (K A and K B ) are a secret between the parties who shared the keys Assumption: all keys are secure Alice shares K A with Cathy and nobody else Bob shares K B with Cathy and nobody else Nonces and session keys are non-repeating 9/16/2015 CSCI 451 - Fall 2015 23

Is it Alice that Bob is talking to? Third message (Alice Bob) Bob deciphered the message enciphered using key (K B ) that only he, Bob knows The messages names Alice and contains session key K S Note that Alice does not know K B. It must have been Cathy that provided session key and named Alice is other party 9/16/2015 CSCI 451 - Fall 2015 24

Is it Alice that Bob is talking to? Note that the third message only provides evidence that Alice at sometime initiated the communication. Is the message a replay by Eve? Assumption: Cathy does not recycle K S Fourth message (Bob Alice) Bob initiates a challenge, i.e., uses session key to determine if it is a replay from Eve The challenging message contains a non-repeating random number, nonce r 2, generated by Bob. If not, Alice will respond correctly in fifth message If so, Eve cannot decipher r 2 and so cannot respond, or responds 9/16/2015 CSCI 451 - Fall 2015 25 incorrectly

Is it Alice that Bob is talking to? Fifth message (Alice Bob) Alice answers the challenge by deciphering the message, obtaining nonce r 2, do a simple agreed computation, and returns the answer. If the answer to the challenge is correct, it is Alice who responds the challenge Eve cannot decipher r 2 and so cannot respond, or responds incorrectly Bob can determine if it is Alice that he is talking to 9/16/2015 CSCI 451 - Fall 2015 26

Is it Bob that Alice is talking to? Second message (Cathy Alice) Alice decipher the message. Message enciphered using key K A that only Cathy knows besides herself. It is Cathy who transmits the message. It is a response to the first message, as r 1 in it matches r 1 in first message. The message is fresh and not a replay. 9/16/2015 CSCI 451 - Fall 2015 27

Is it Bob that Alice is talking to? Third message (Alice Bob) The message is received from Cathy, the trusted third party. Alice forwards the message to Bob. The message is enciphered using Bob s key K B. Alice knows only Bob can read it, as only Bob can derive session key from message that is enciphered using K B Any messages enciphered with that key are from Bob 9/16/2015 CSCI 451 - Fall 2015 28

Denning & Sacco s Argument Assumption of the Needham-Schroeder protocol: all keys are secure Question: suppose Eve can obtain session key. How does that affect the Needham-Schroeder protocol? 9/16/2015 CSCI 451 - Fall 2015 29

Denning & Sacco s Argument In what follows, Eve knows k s 1 Alice Alice Bob r 1 Cathy 2 Alice { Alice Bob r 1 k s { Alice k s } kb } ka Cathy 3 Alice { Alice k s } kb Bob Eve 3 Eve { Alice k s } kb Bob 4 Eve { r 2 } ks Bob 5 Eve { r 2 1 } ks Bob 9/16/2015 CSCI 451 - Fall 2015 30

Denning-Sacco s Solution In protocol above, Eve impersonates Alice Problem: Eve replays intercepted third message in third step Solution: use time stamp T to detect replay 9/16/2015 CSCI 451 - Fall 2015 31

Needham-Schroeder with Denning-Sacco Modification Introduce a time stamp. Reject messages that are too old 1 Alice Alice Bob r 1 Cathy 2 Alice { Alice Bob r 1 k s { Alice T k s } kb } ka Cathy 3 Alice { Alice T k s } kb Bob 4 Alice { r 2 } ks Bob 5 Alice { r 2 1 } ks Bob 9/16/2015 CSCI 451 - Fall 2015 32

Denning-Sacco s Solution: Weakness Solution: use time stamp T to detect replay Weakness: if clocks not synchronized, may either reject valid messages or accept replays Parties with either slow or fast clocks vulnerable to replay Resetting clock does not eliminate vulnerability 9/16/2015 CSCI 451 - Fall 2015 33

Otway-Rees Protocol Corrects problems with introducing an integer n and avoiding using timestamp That is, to detect Eve s replaying the third message in the protocol Does not use timestamps Not vulnerable to the problems that Denning-Sacco modification has Uses integer n to associate all messages with particular exchange 9/16/2015 CSCI 451 - Fall 2015 34

Otway-Rees Protocol 1 Alice n Alice Bob { r 1 n Alice Bob } k A Bob 2 Cathy n Alice Bob { r 1 n Alice Bob } k A Bob { r 2 n Alice Bob } k B 3 Cathy n { r 1 k s } k A { r 2 k s } k B Bob 4 Alice n { r 1 k s } k A Bob 9/16/2015 CSCI 451 - Fall 2015 35

Is it Alice that Bob is talking to? Third message (Cathy Bob) If n matches second message, Bob knows it is part of this protocol exchange Cathy generated k s because only she and Bob know k B Enciphered part belongs to this protocol exchange as r 2 matches r 2 in encrypted part of second message 9/16/2015 CSCI 451 - Fall 2015 36

Is it Bob that Alice is talking to? Fourth message (Bob Alice) If n matches first message, Alice knows it is part of this protocol exchange Cathy generated k s because only she and Alice know k A Enciphered part belongs to this protocol exchange as r 1 matches r 1 in encrypted part of first message 9/16/2015 CSCI 451 - Fall 2015 37

Replay Attack Eve acquires old k s, message in third step and attempts to impersonate Bob n { r 1 k s } k A { r 2 k s } k B Eve forwards appropriate part to Alice Alice has no ongoing key exchange with Bob: n matches nothing, so is rejected Alice has ongoing key exchange with Bob: n does not match, so is again rejected 9/16/2015 CSCI 451 - Fall 2015 38

Replay Attack The only way that Eve can impersonate Bob is that Eve s replay is for the current key exchange Eve sent the relevant part before Bob did. If this is the scenario, Eve could simply listen to traffic No replay would be involved 9/16/2015 CSCI 451 - Fall 2015 39

Exercise L7-2 Question 5 in pages 142-143 of the textbook 9/16/2015 CSCI 451 - Fall 2015 40

Classical Cryptographic Key Exchange in Practice Kerberos A client, Alice, wants to use a server S. Kerberos requires her to use two servers to obtain a credential that will authenticate her to S First, she must authenticate herself to the Kerberos System Second, she must obtain a ticket to use S Use Classical Cryptographic Key Exchange Requires a trusted third party Unix & Unix-like operating systems (e.g., Linux, OS X) and Windows 9/16/2015 CSCI 451 - Fall 2015 41

Kerberos Authentication system A client, Alice, wants to use a server S. Kerberos requires her to use two servers (authentication server and ticketgranting server) to obtain a credential that will authenticate her to server S. Based on Needham-Schroeder with Denning-Sacco modification Authentication server plays role of trusted third party ( Cathy ) Ticket: Issuer vouches for identity of requester of service Authenticator (authentication server): Identifies sender 9/16/2015 CSCI 451 - Fall 2015 42

Main Idea User u authenticates to Kerberos authentication server User u obtains ticket T u,tgs for Kerberos ticketgranting service (TGS) User u wants to use service s: User u sends (authenticator A u, ticket T u,tgs ) to TGS asking for a ticket for service TGS sends ticket T u,s to user u User u sends (A u, T u,s ) to server as a request to use s 9/16/2015 CSCI 451 - Fall 2015 43

Ticket Credential vouchering issuer has identified ticket requester Example ticket issued to user u for service s where: T u,s = s { u u s address valid time k u,s } ks k u,s is session key for user and service Valid time is interval for which ticket valid u s address may be IP address or something else Note: more fields, but not relevant here 9/16/2015 CSCI 451 - Fall 2015 44

Authenticator Credential containing identity of sender of ticket Used to confirm sender is entity to which ticket was issued Example: authenticator that user u generates for service s A u,s = { u generation time k t } ku,s where: k t is alternate session key Generation time is when authenticator generated Note: more fields, not relevant here 9/16/2015 CSCI 451 - Fall 2015 45

Protocol Where Cathy is the Kerberos authentication server 1 user user TGS Cathy 2 user { k u,tgs } ku T u,tgs Cathy 3 user service A u,tgs T u,tgs TGS 4 user user { k u,s } ku,tgs T u,s TGS 5 user A u,s T u,s service 6 user { t + 1 } ku,s service 9/16/2015 CSCI 451 - Fall 2015 46

Analysis: Steps 1-2 First two steps get user ticket to use TGS User u can obtain session key only if u knows key shared with Cathy (K u ) 9/16/2015 CSCI 451 - Fall 2015 47

Analysis: Steps 3-6 Next four steps show how u gets and uses ticket for service s Service s validates request by checking sender (using A u,s ) is same as entity ticket issued to Step 6 optional; used when u requests confirmation 9/16/2015 CSCI 451 - Fall 2015 48

Problems Relies on synchronized clocks If not synchronized and old tickets, authenticators not cached, replay is possible (Bellovin & Merritt, 1991) Tickets have some fixed fields Dictionary attacks possible Weakness in Kerberos 4 (Dole, Lodin, and Spafford, 1997) Session keys weak (had much less than 56 bits of randomness); Researchers at Purdue found them from tickets in minutes Kerberos 5 Improvements (e.g., adopted AES) Authenticators are valid for 5 minutes 9/16/2015 CSCI 451 - Fall 2015 Slide #9-49

Public Key Cryptographic Key Exchange Public key cryptographic makes exchanging keys very easy e A, e B Alice and Bob s public keys known to all d A, d B Alice and Bob s private keys known only to owner Simple protocol k s is desired session key Alice { k s } e B Bob 9/16/2015 CSCI 451 - Fall 2015 Slide #9-50

Problem Similar flaw to the original classical key exchange protocol Vulnerable to forgery or replay Because e B known to anyone, Bob has no assurance that Alice sent message Eve can forge such a message Eve { k s } e B Bob 9/16/2015 CSCI 451 - Fall 2015 51

Solution Authenticate Sender, i.e., Alice Simple fix: Alice signs the session key K s using her private key d A Alice { { k s } da } eb Bob Bob deciphers the message using his private key (d B ) to obtain {k s } da Bob deciphers {k s } da using Alice public key and thereby authenticates Alice 9/16/2015 CSCI 451 - Fall 2015 52

Discussion Can also include message enciphered with k s (Schneier, 1996) Man-in-the-middle attack The above assumes Bob has Alice s public key, and vice versa If not, each must get it from public server If keys not bound to identity of owner, attacker Eve can launch a man-in-the-middle attack 9/16/2015 CSCI 451 - Fall 2015 53

Man-in-the-Middle Attack Cathy is public server providing public keys 1 2 3 Alice {Request to send Bob s public key} Eve Eve Eve intercepts request {Request to send Bob s public key} e B Cathy Cathy Cathy 4 Alice e E Eve 5 Alice { k s } e E Eve intercepts message Bob 6 { k s } e B Eve Bob 9/16/2015 CSCI 451 - Fall 2015 54

Man-in-the-Middle Attack When presented with a public key purportedly belonging to Bob, Alice has no way to verify that the public key in fact belongs to Bob Solution binding identity to keys Discussed later as public key infrastructure (PKI) 9/16/2015 CSCI 451 - Fall 2015 55

Summary Key management critical to effective use of cryptosystems Different levels of keys (session vs. interchange) Key Exchange for Classical Cryptography Key Exchange for Public Key Cryptography Lessons learned from attack and fix cycles 9/16/2015 CSCI 451 - Fall 2015 56

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback