Ideal Security Protocol Satisfies security requirements Requirements must be precise Efficient Small computational requirement Small bandwidth usage, network delays Not fragile Works when attacker tries to break it Works even if environment changes Easy to use and implement, flexible Difficult to satisfy all of these! 1 Identify Friend or Foe (IFF) Russian MIG Angola SAAF Impala K 1. N 2. E(N,K) Namibia K 2 MIG in the Middle 3. N SAAF Impala K 4. E(N,K) 2. N Angola 5. E(N,K) Russian MiG 1. N 6. E(N,K) Namibia K 3 1
Simple Authentication I m Prove it My password is frank Fig.9.3 Simple and may be OK for standalone system But insecure for networked system Subject to a replay attack (next 2 slides) Also, must know s password 4 Authentication Attack I m Prove it My password is frank Trudy Fig. 9.4 This is an example of a replay attack How can we prevent a replay? 5 Better Authentication I m Prove it h( s password) Fig. 9.5 Better since it hides s password From both and Trudy But still subject to replay 6 2
Challenge-Response I m Nonce h( s password, Nonce) Fig. 9.7 Nonce is the challenge The hash is the response Nonce prevents replay, ensures freshness Password is something knows must know s pwd to verify 7 Authentication with Symmetric Key I m R E(R,K), K, K Fig. 9.8 Secure method for to authenticate does not authenticate So, can we achieve mutual authentication? 8 Mutual Authentication? I m, R E(R,K), K E(R,K) Fig. 9.9, K What s wrong with this picture? could be Trudy (or anybody else)! 9 3
Mutual Authentication I m, R A R B, E(R A, K), K E(R B, K) Fig. 9.10, K This provides mutual authentication or does it? See the next slide 10 Mutual Authentication Attack 1. I m, R A 2. R B, E(R A, K) Trudy, K 3. I m, R B 4. R C, E(R B, K) Trudy Fig. 9.11, K 11 Symmetric Key Mutual Authentication I m, R A R B, E(,R A,K), K E(,R B,K) Fig. 9.12, K Do these insignificant changes help? Yes! Strong Mutual Authentication! 12 4
Public Key Authentication I m {R} R Is this secure? Fig. 9.13 Trudy can get to decrypt anything! So, should have two key pairs 13 Public Key Authentication I m R [R] Is this secure? Fig. 9.14 using Digital Signature Trudy can get to sign anything! Same a previous should have two key pairs 14 Authentication & Session Key I m, R {R,K} {R +1,K} Fig. 9.15 Is this secure? is authenticated and session key is secure s nonce, R, useless to authenticate The key K is acting as s nonce to No mutual authentication 15 5
Public Key Authentication and Session Key I m, R [R,K] [R +1,K] Fig. 9.16 signature based Is this secure? Mutual authentication (good), but session key is not secret (very bad) 16 Public Key Authentication and Session Key I m, R {[R,K] } {[R +1,K] } Fig. 9.17 sign and encrypt Is this secure? Seems to be OK Mutual authentication and session key! 17 Public Key Authentication and Session Key I m, R [{R,K} ] [{R +1,K} ] Is this secure? Seems to be OK Fig. 9.18 Encrypt and Sign Anyone can see {R,K} and {R +1,K} 18 6
Perfect Forward Secrecy Suppose and share key K For perfect forward secrecy, and cannot use K to encrypt Instead they must use a session key K S and forget it after it s used Can and agree on session key K S in a way that ensures PFS? 19 Naïve Session Key Protocol E(K S, K) E(messages, K S ), K Fig. 9.19, K Trudy could record E(K S, K) If Trudy later gets K then she can get K S Then Trudy can decrypt recorded messages 20 Perfect Forward Secrecy We use Diffie-Hellman for PFS Recall: public g and p g a mod p g b mod p, a Fig. 9.20 But Diffie-Hellman is subject to MiM How to get PFS and prevent MiM?, b 21 7
Perfect Forward Secrecy E(g a mod p, K) E(g b mod p, K) : K, a Fig. 9.21 E-DH for PFS : K, b Session key K S = g ab mod p forgets a, forgets b So-called Ephemeral Diffie-Hellman Neither nor can later recover K S Are there other ways to achieve PFS? 22 Mutual Authentication, Session Key and PFS I m, R A R B, [{R A, g b mod p} ] [{R B, g a mod p} ] Fig. 9.22 Session key is K = g ab mod p forgets a and forgets b If Trudy later gets s and s secrets, she cannot recover session key K 23 Public Key Authentication with Timestamp T I m, {[T, K] } {[T +1, K] } Fig. 9.23 Sign & Encrypt - Secure! Secure mutual authentication? Session key? Seems to be OK 24 8
Public Key Authentication with Timestamp T I m, [{T, K} ] [{T +1, K} ] Fig. 9.24 Encrypt & Sign Not secure Secure authentication and session key? Trudy can use s public key to find {T, K} and then 25 Public Key Authentication with Timestamp T I m Trudy, [{T, K} ] Trudy [{T +1, K} Trudy ] Trudy Fig. 9.25 Attack on Encrypt & Sign Trudy obtains - session key K Note: Trudy must act within clock skew 26 Public Key Authentication Sign and encrypt with nonce Secure Encrypt and sign with nonce Secure Sign and encrypt with timestamp Secure Encrypt and sign with timestamp Insecure Protocols can be subtle! 27 9
Public Key Authentication with Timestamp T I m, [{T, K} ] [{T +1} ] Fig. 9.26 Is this encrypt and sign secure? o Yes, seems to be OK Does sign and encrypt also work here? 28 TCP 3-way Handshake SYN, SEQ a SYN, ACK a+1, SEQ b ACK b+1, data Fig. 9.27 Recall the TCP three way handshake Initial SEQ numbers, SEQ a and SEQ b o Supposed to be random If not 29 TCP Authentication Attack Trudy 5. 5. 5. 5. Fig. 9.28 30 10
TCP Authentication Attack Random SEQ numbers Fig. 9.29 Initial SEQ numbers Mac OS X If initial SEQ numbers not very random possible to guess initial SEQ number and previous attack will succeed 31 Zero Knowledge Proof (ZKP) wants to prove that she knows a secret without revealing any info about it must verify that knows secret But gains no info about the secret Process is probabilistic can verify that knows the secret to an arbitrarily high probability An interactive proof system 32 s Cave knows secret phrase to open path between R and S ( open sarsaparilla ) P Can she convince that she knows the secret without revealing phrase? R Q S 33 11
Fiat-Shamir Protocol Cave-based protocols are inconvenient Can we achieve same effect without the cave? Finding square roots modulo N is difficult Equivalent to factoring Suppose N = pq, where p and q prime has a secret S N and v = S 2 mod N are public, S is secret must convince that she knows S without revealing any information about S 34 Fiat-Shamir secret S random r x = r 2 mod N e {0,1} y = r S e mod N Fig. 9.32 random e Public: Modulus N and v = S 2 mod N selects random r, chooses e {0,1} must verify: y 2 = x v e mod N Why? Because y 2 = r 2 S 2e = r 2 (S 2 ) e = x v e mod N 35 Fiat-Shamir: e = 1 x = r 2 mod N e = 1 secret S random r y = r S mod N Fig. random e Public: Modulus N and v = S 2 mod N selects random r, chooses e =1 If y 2 = x v mod N then accepts it I.e., passes this iteration of the protocol Note that must know S in this case 36 12
Fiat-Shamir: e = 0 x = r 2 mod N e = 0 secret S random r y = r mod N random e Public: Modulus N and v = S 2 mod N selects random r, chooses e = 0 must checks whether y 2 = x mod N does not need to know S in this case! 37 Fiat-Shamir Public: modulus N and v = S 2 mod N Secret: knows S selects random r and commits to r by sending x = r 2 mod N to sends challenge e {0,1} to responds with y = r S e mod N checks whether y 2 = x v e mod N Does this prove response is from? 38 Does Fiat-Shamir Work? If everyone follows protocol, math works: Public: v = S 2 mod N to : x = r 2 mod N and y = r S e mod N verifies: y 2 = x v e mod N Can Trudy convince she is? If Trudy expects e = 0, she sends x = r 2 in msg 1 and y = r in msg 3 (i.e., follow the protocol) If Trudy expects e = 1, sends x = r 2 v 1 in msg 1 and y = r in msg 3 If chooses e {0,1} at random, Trudy can only trick with probability 1/2 39 13
Fiat-Shamir Facts Trudy can trick with probability 1/2, but after n iterations, the probability that Trudy can convince that she is is only 1/2 n Just like s cave! s e {0,1} must be unpredictable must use new r each iteration, or else If e = 0, sends r mod N in message 3 If e = 1, sends r S mod N in message 3 Anyone can find S given r mod N and r S mod N 40 Fiat-Shamir Zero Knowledge? Zero knowledge means that nobody learns anything about the secret S Public: v = S 2 mod N Trudy sees r 2 mod N in message 1 Trudy sees r S mod N in message 3 (if e = 1) If Trudy can find r from r 2 mod N, gets S But that requires modular square root If Trudy could find modular square roots, she could get S from public v Protocol does not seem to help to find S 41 ZKP in the Real World Public key certificates identify users No anonymity if certificates sent in plaintext ZKP offers a way to authenticate without revealing identities ZKP supported in MS s Next Generation Secure Computing Base (NGSCB), where ZKP used to authenticate software without revealing machine identifying data ZKP is not just pointless mathematics! 42 14
Best Authentication Protocol? It depends on The sensitivity of the application/data The delay that is tolerable The cost (computation) that is tolerable What crypto is supported (public key, symmetric key, ) Whether mutual authentication is required Whether PFS, anonymity, etc., are concern and possibly other factors 43 15