Security Handshake Pitfalls

Similar documents
CSC 474/574 Information Systems Security

Authentication Handshakes

CIS 6930/4930 Computer and Network Security. Topic 6.2 Authentication Protocols

Outline. Login w/ Shared Secret: Variant 1. Login With Shared Secret: Variant 2. Login Only Authentication (One Way) Mutual Authentication

CSCI 667: Concepts of Computer Security. Lecture 9. Prof. Adwait Nadkarni

6. Security Handshake Pitfalls Contents

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Security Handshake Pitfalls

Security Handshake Pitfalls

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

Security Handshake Pitfalls

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Password. authentication through passwords

Session Key Distribution

Real-time protocol. Chapter 16: Real-Time Communication Security

User Authentication Protocols

CS 494/594 Computer and Network Security

10/1/2015. Authentication. Outline. Authentication. Authentication Mechanisms. Authentication Mechanisms. Authentication Mechanisms

User Authentication Protocols Week 7

Cryptographic Checksums

Test 2 Review. (b) Give one significant advantage of a nonce over a timestamp.

CIS 6930/4930 Computer and Network Security. Topic 7. Trusted Intermediaries

Network Security CHAPTER 31. Solutions to Review Questions and Exercises. Review Questions

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Security: Focus of Control. Authentication

Authentication. Strong Password Protocol. IT352 Network Security Najwa AlGhamdi

Chapter 9: Key Management

Cryptographic Protocols 1

L7: Key Distributions. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

Security and Privacy in Computer Systems. Lecture 7 The Kerberos authentication system. Security policy, security models, trust Access control models

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

User Authentication. Modified By: Dr. Ramzi Saifan

Acknowledgments. CSE565: Computer Security Lectures 16 & 17 Authentication & Applications

Computer Networks & Security 2016/2017

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

Trusted Intermediaries

AIT 682: Network and Systems Security

Outline More Security Protocols CS 239 Computer Security February 6, 2006

Strong Password Protocols

Spring 2010: CS419 Computer Security

Security: Focus of Control

Authentication Protocols. Outline. Who Is Authenticated?

Session key establishment protocols

Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena

Session key establishment protocols

User Authentication. Modified By: Dr. Ramzi Saifan

Key distribution and certification

13/10/2013. Kerberos. Key distribution and certification. The Kerberos protocol was developed at MIT in the 1980.

Applied Cryptography Basic Protocols

Unit-VI. User Authentication Mechanisms.

Introduction. Trusted Intermediaries. CSC/ECE 574 Computer and Network Security. Outline. CSC/ECE 574 Computer and Network Security.

Ideal Security Protocol. Identify Friend or Foe (IFF) MIG in the Middle 4/2/2012

HOST Authentication Overview ECE 525

Identification Schemes

Elements of Security

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Cryptography and Network Security Chapter 13. Digital Signatures & Authentication Protocols

L13. Reviews. Rocky K. C. Chang, April 10, 2015

What did we talk about last time? Public key cryptography A little number theory

Overview. Cryptographic key infrastructure Certificates. May 13, 2004 ECS 235 Slide #1. Notation

Outline. More Security Protocols CS 239 Security for System Software April 22, Needham-Schroeder Key Exchange

CIS 6930/4930 Computer and Network Security. Final exam review

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Computer Security 4/12/19

Fall 2010/Lecture 32 1

Digital Signatures. Public-Key Signatures. Arbitrated Signatures. Digital Signatures With Encryption. Terminology. Message Authentication Code (MAC)

Cryptography and Network Security

Contents Digital Signatures Digital Signature Properties Direct Digital Signatures

AIT 682: Network and Systems Security

Outline More Security Protocols CS 239 Computer Security February 4, 2004

EEC-682/782 Computer Networks I

CPSC 467b: Cryptography and Computer Security

Test 2 Review. 1. (10 points) Timestamps and nonces are both used in security protocols to prevent replay attacks.

Information Security CS 526

Security protocols and their verification. Mark Ryan University of Birmingham

This chapter examines some of the authentication functions that have been developed to support network-based use authentication.

Datasäkerhetsmetoder föreläsning 7

Digital Signatures. Secure Digest Functions

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

Network Security Chapter 8

CSC/ECE 774 Advanced Network Security

Lecture 1: Course Introduction

ECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

CS 161 Computer Security

The Kerberos Authentication System Course Outline

CS 161 Authentication Protocols. Zero knowledge review

Cryptology Part 1. Terminology. Basic Approaches to Cryptography. Basic Approaches to Cryptography: (1) Transposition (continued)

Chapter 10: Key Management

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to talk so much?!? Content taken from the following:

Distributed Systems Principles and Paradigms

Network Security (NetSec)

5. Authentication Contents

CSC 482/582: Computer Security. Security Protocols

CS /29/17. Paul Krzyzanowski 1. Fall 2016: Question 2. Distributed Systems. Fall 2016: Question 2 (cont.) Fall 2016: Question 3

CSC 774 Network Security

Computer Security. 10. Exam 2 Review. Paul Krzyzanowski. Rutgers University. Spring 2017

Authentication in Distributed Systems

Applied Cryptography and Computer Security CSE 664 Spring 2017

Transcription:

Security Handshake Pitfalls 1

Authentication Handshakes Secure communication almost always includes an initial authentication handshake: Authenticate each other Establish sessions keys This process may involve many flaws 2

Login with shared secret Approaches Using KAlice-Bob as a secret key to encrypt R: KAlice-Bob{R} Hashing R and KAlice-Bob: h(kalice-bob, R) Different time uses different R Weakness Authentication is not mutual: Trudy can convince Alice that she is Bob Trudy can hijack the conversation after the initial exchange Off-line password guessing attack assuming KAlice-Bob is derived from a password Trudy can compromise the database at Bob and later impersonate Alice 3

Login with shared secret cont d All the previous weakness remains Minor security difference Alice has to be able to reverse what Bob has done to R If KAlice-Bob is derived from a password, it is vulnerable to a dictionary attack 4

Login with shared secret cont d Alice and Bob have reasonably synchronized clocks more efficient Impersonate Alice within the acceptable clock skew If Trudy can set Bob s clock back reuse overheard timestamps 5

Authentication with One-Way Public Key Advantage Database at Bob need not be protected from unauthorized disclosure Weakness Trudy can trick Alice into signing/decrypting: Trudy can forge Alice s signature on some quantity 6

Mutual Authentication Inefficient 7

Reflection Attack Mutual Authentication 8

Reflection Attack General Principle Do not have Alice and Bob do exactly the same thing Different Keys: have the key used to authenticate Alice be different from the key used to authenticate Bob Different Challenges: the challenge from the initiator (Alice) looks different from the challenge from the responder 9

Password Guessing Mutual Authentication How to fix? 10

Public Keys Mutual Authentication Assume Alice and Bob know each other s public keys 11

Timestamps Mutual Authentication Require synchronized clocks Alice and Bob have to encrypt different timestamps 12

Integrity/Encryption for Data In order to provide integrity and/or encryption protection of the data following the authentication exchange, it is necessary for Alice and Bob to encrypt and/or add integrity Require a session key established during mutual authentication 13

Establishment of Session Keys Shared Secret based authentication After the authentication.. Use K Alice-Bob {R} as the session key? Has been used as the third message in the authentication handshake Use K (Alice-Bob+1) {R} as the session key Use K Alice-Bob {R+1} as the session key? Trudy impersonates Bob: 14

Privacy and Integrity Replay attack Use long sequence numbers Sequence number space rollover Key rollover: changing keys in the middle of a conversation 15

Mediated Authentication Trudy may claim to be Alice and send I am Alice Will not do Trudy any good It is possible that Alice s messages get to Bob first, so Bob does not know how to decrypt it Using a Ticket Must be followed by a mutual authentication exchange confirm that Alice and Bob have the same key 16

Needham-Schroeder Protocol Classic protocol for authentication with KDC Many others have been modeled after it (e.g. Kerberos) 17

Needham-Schroeder Protocol Nonce: a number that is used only once A sequence number or a large random number Deal with replay attacks Reflection Attack Bob -> Alice: K AB {N 2-1, N 3 } Assume N i multiple of encryption blocksize ECB: Message splicing: put together own plus revealed With CBC, no need to decrement N 2, N 3 A Vulnerability When Trudy gets a previous key used by Alice, Trudy may reuse a previous ticket issued to Bob for Alice Essential Reason Ticket to Bob stays valid even if Alice changes her key 18

Expanded Needham-Schroeder The additional two messages assure Bob that the initiator has talked to KDC since Bob generates N B 19

Kerberos V4 Based on Needham-Schroeder, but with timestamps Save exchange of nonce 20

Timestamps Nonce Types Require reasonably synchronized clocks Large random numbers Tend to make the best nonce Cannot be guessed/predicted Sequence number 21

Nonce Types 22

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback