Ideal Security Protocol. Identify Friend or Foe (IFF) MIG in the Middle 4/2/2012

Similar documents
Key Establishment and Authentication Protocols EECE 412

Security Handshake Pitfalls

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

Real-time protocol. Chapter 16: Real-Time Communication Security

Zero Knowledge Protocol

CS 494/594 Computer and Network Security

Test 2 Review. (b) Give one significant advantage of a nonce over a timestamp.

Diffie-Hellman. Part 1 Cryptography 136

Kurose & Ross, Chapters (5 th ed.)

CS 161 Computer Security

Security Handshake Pitfalls

ח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms

Security Handshake Pitfalls

Other Uses of Cryptography. Cryptography Goals. Basic Problem and Terminology. Other Uses of Cryptography. What Can Go Wrong? Why Do We Need a Key?

Authentication Handshakes

Public Key Algorithms

Cryptographic Protocols 1

CSC 474/574 Information Systems Security

Session key establishment protocols

Session key establishment protocols

Outline. Login w/ Shared Secret: Variant 1. Login With Shared Secret: Variant 2. Login Only Authentication (One Way) Mutual Authentication

CS Computer Networks 1: Authentication

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Password. authentication through passwords

Module: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

CS 395T. Formal Model for Secure Key Exchange

CIS 6930/4930 Computer and Network Security. Topic 6.2 Authentication Protocols

Computer Networks & Security 2016/2017

Identification Schemes

CIS 4360 Secure Computer Systems Applied Cryptography

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Chapter 9 Public Key Cryptography. WANG YANG

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Chapter 9. Public Key Cryptography, RSA And Key Management

Test 2 Review. 1. (10 points) Timestamps and nonces are both used in security protocols to prevent replay attacks.

Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

Simple Security Protocols

Public Key Algorithms

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Strong Password Protocols

A Mathematical Proof. Zero Knowledge Protocols. Interactive Proof System. Other Kinds of Proofs. When referring to a proof in logic we usually mean:

Zero Knowledge Protocols. c Eli Biham - May 3, Zero Knowledge Protocols (16)

Lecture 2 Applied Cryptography (Part 2)

Key Exchange. References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings

T Cryptography and Data Security

Security Handshake Pitfalls

Cryptographic protocols

Overview. Public Key Algorithms I

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Authentication. Strong Password Protocol. IT352 Network Security Najwa AlGhamdi

Public Key Cryptography and RSA

Lecture 30. Cryptography. Symmetric Key Cryptography. Key Exchange. Advanced Encryption Standard (AES) DES. Security April 11, 2005

Computer Networks. Wenzhong Li. Nanjing University

CS 6324: Information Security More Info on Key Establishment: RSA, DH & QKD

Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

What did we talk about last time? Public key cryptography A little number theory

6. Security Handshake Pitfalls Contents

Computer Communication Networks Network Security

Encryption. INST 346, Section 0201 April 3, 2018

David Wetherall, with some slides from Radia Perlman s security lectures.

CSC 8560 Computer Networks: Network Security

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Introduction to Cryptography and Security Mechanisms. Abdul Hameed

14. Internet Security (J. Kurose)

The Diffie-Hellman/Karn Encryption App

Auth. Key Exchange. Dan Boneh

The Secure Shell (SSH) Protocol

ECEN 5022 Cryptography

1. Diffie-Hellman Key Exchange

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Proceedings of the 10 th USENIX Security Symposium

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

A robust smart card-based anonymous user authentication protocol for wireless communications

Number Theory and RSA Public-Key Encryption

Key Establishment. Chester Rebeiro IIT Madras. Stinson : Chapter 10

PROTECTING CONVERSATIONS

Information Security CS 526

Crypto Background & Concepts SGX Software Attestation

Applied Cryptography and Computer Security CSE 664 Spring 2017

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Introduction to Cryptography Lecture 7

SECURITY IN NETWORKS

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

ECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

CS 161 Computer Security

Chapter 4: Securing TCP connections

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Spring 2010: CS419 Computer Security

CS3235 Seventh set of lecture slides

CS 161 Computer Security

Applied Cryptography and Computer Security CSE 664 Spring 2018

MTAT Applied Cryptography

Public Key Cryptography

ENEE 459-C Computer Security. Security protocols

CMSC 414 S09 Exam 2 Page 1 of 6 Name:

Transcription:

Ideal Security Protocol Satisfies security requirements Requirements must be precise Efficient Small computational requirement Small bandwidth usage, network delays Not fragile Works when attacker tries to break it Works even if environment changes Easy to use and implement, flexible Difficult to satisfy all of these! 1 Identify Friend or Foe (IFF) Russian MIG Angola SAAF Impala K 1. N 2. E(N,K) Namibia K 2 MIG in the Middle 3. N SAAF Impala K 4. E(N,K) 2. N Angola 5. E(N,K) Russian MiG 1. N 6. E(N,K) Namibia K 3 1

Simple Authentication I m Prove it My password is frank Fig.9.3 Simple and may be OK for standalone system But insecure for networked system Subject to a replay attack (next 2 slides) Also, must know s password 4 Authentication Attack I m Prove it My password is frank Trudy Fig. 9.4 This is an example of a replay attack How can we prevent a replay? 5 Better Authentication I m Prove it h( s password) Fig. 9.5 Better since it hides s password From both and Trudy But still subject to replay 6 2

Challenge-Response I m Nonce h( s password, Nonce) Fig. 9.7 Nonce is the challenge The hash is the response Nonce prevents replay, ensures freshness Password is something knows must know s pwd to verify 7 Authentication with Symmetric Key I m R E(R,K), K, K Fig. 9.8 Secure method for to authenticate does not authenticate So, can we achieve mutual authentication? 8 Mutual Authentication? I m, R E(R,K), K E(R,K) Fig. 9.9, K What s wrong with this picture? could be Trudy (or anybody else)! 9 3

Mutual Authentication I m, R A R B, E(R A, K), K E(R B, K) Fig. 9.10, K This provides mutual authentication or does it? See the next slide 10 Mutual Authentication Attack 1. I m, R A 2. R B, E(R A, K) Trudy, K 3. I m, R B 4. R C, E(R B, K) Trudy Fig. 9.11, K 11 Symmetric Key Mutual Authentication I m, R A R B, E(,R A,K), K E(,R B,K) Fig. 9.12, K Do these insignificant changes help? Yes! Strong Mutual Authentication! 12 4

Public Key Authentication I m {R} R Is this secure? Fig. 9.13 Trudy can get to decrypt anything! So, should have two key pairs 13 Public Key Authentication I m R [R] Is this secure? Fig. 9.14 using Digital Signature Trudy can get to sign anything! Same a previous should have two key pairs 14 Authentication & Session Key I m, R {R,K} {R +1,K} Fig. 9.15 Is this secure? is authenticated and session key is secure s nonce, R, useless to authenticate The key K is acting as s nonce to No mutual authentication 15 5

Public Key Authentication and Session Key I m, R [R,K] [R +1,K] Fig. 9.16 signature based Is this secure? Mutual authentication (good), but session key is not secret (very bad) 16 Public Key Authentication and Session Key I m, R {[R,K] } {[R +1,K] } Fig. 9.17 sign and encrypt Is this secure? Seems to be OK Mutual authentication and session key! 17 Public Key Authentication and Session Key I m, R [{R,K} ] [{R +1,K} ] Is this secure? Seems to be OK Fig. 9.18 Encrypt and Sign Anyone can see {R,K} and {R +1,K} 18 6

Perfect Forward Secrecy Suppose and share key K For perfect forward secrecy, and cannot use K to encrypt Instead they must use a session key K S and forget it after it s used Can and agree on session key K S in a way that ensures PFS? 19 Naïve Session Key Protocol E(K S, K) E(messages, K S ), K Fig. 9.19, K Trudy could record E(K S, K) If Trudy later gets K then she can get K S Then Trudy can decrypt recorded messages 20 Perfect Forward Secrecy We use Diffie-Hellman for PFS Recall: public g and p g a mod p g b mod p, a Fig. 9.20 But Diffie-Hellman is subject to MiM How to get PFS and prevent MiM?, b 21 7

Perfect Forward Secrecy E(g a mod p, K) E(g b mod p, K) : K, a Fig. 9.21 E-DH for PFS : K, b Session key K S = g ab mod p forgets a, forgets b So-called Ephemeral Diffie-Hellman Neither nor can later recover K S Are there other ways to achieve PFS? 22 Mutual Authentication, Session Key and PFS I m, R A R B, [{R A, g b mod p} ] [{R B, g a mod p} ] Fig. 9.22 Session key is K = g ab mod p forgets a and forgets b If Trudy later gets s and s secrets, she cannot recover session key K 23 Public Key Authentication with Timestamp T I m, {[T, K] } {[T +1, K] } Fig. 9.23 Sign & Encrypt - Secure! Secure mutual authentication? Session key? Seems to be OK 24 8

Public Key Authentication with Timestamp T I m, [{T, K} ] [{T +1, K} ] Fig. 9.24 Encrypt & Sign Not secure Secure authentication and session key? Trudy can use s public key to find {T, K} and then 25 Public Key Authentication with Timestamp T I m Trudy, [{T, K} ] Trudy [{T +1, K} Trudy ] Trudy Fig. 9.25 Attack on Encrypt & Sign Trudy obtains - session key K Note: Trudy must act within clock skew 26 Public Key Authentication Sign and encrypt with nonce Secure Encrypt and sign with nonce Secure Sign and encrypt with timestamp Secure Encrypt and sign with timestamp Insecure Protocols can be subtle! 27 9

Public Key Authentication with Timestamp T I m, [{T, K} ] [{T +1} ] Fig. 9.26 Is this encrypt and sign secure? o Yes, seems to be OK Does sign and encrypt also work here? 28 TCP 3-way Handshake SYN, SEQ a SYN, ACK a+1, SEQ b ACK b+1, data Fig. 9.27 Recall the TCP three way handshake Initial SEQ numbers, SEQ a and SEQ b o Supposed to be random If not 29 TCP Authentication Attack Trudy 5. 5. 5. 5. Fig. 9.28 30 10

TCP Authentication Attack Random SEQ numbers Fig. 9.29 Initial SEQ numbers Mac OS X If initial SEQ numbers not very random possible to guess initial SEQ number and previous attack will succeed 31 Zero Knowledge Proof (ZKP) wants to prove that she knows a secret without revealing any info about it must verify that knows secret But gains no info about the secret Process is probabilistic can verify that knows the secret to an arbitrarily high probability An interactive proof system 32 s Cave knows secret phrase to open path between R and S ( open sarsaparilla ) P Can she convince that she knows the secret without revealing phrase? R Q S 33 11

Fiat-Shamir Protocol Cave-based protocols are inconvenient Can we achieve same effect without the cave? Finding square roots modulo N is difficult Equivalent to factoring Suppose N = pq, where p and q prime has a secret S N and v = S 2 mod N are public, S is secret must convince that she knows S without revealing any information about S 34 Fiat-Shamir secret S random r x = r 2 mod N e {0,1} y = r S e mod N Fig. 9.32 random e Public: Modulus N and v = S 2 mod N selects random r, chooses e {0,1} must verify: y 2 = x v e mod N Why? Because y 2 = r 2 S 2e = r 2 (S 2 ) e = x v e mod N 35 Fiat-Shamir: e = 1 x = r 2 mod N e = 1 secret S random r y = r S mod N Fig. random e Public: Modulus N and v = S 2 mod N selects random r, chooses e =1 If y 2 = x v mod N then accepts it I.e., passes this iteration of the protocol Note that must know S in this case 36 12

Fiat-Shamir: e = 0 x = r 2 mod N e = 0 secret S random r y = r mod N random e Public: Modulus N and v = S 2 mod N selects random r, chooses e = 0 must checks whether y 2 = x mod N does not need to know S in this case! 37 Fiat-Shamir Public: modulus N and v = S 2 mod N Secret: knows S selects random r and commits to r by sending x = r 2 mod N to sends challenge e {0,1} to responds with y = r S e mod N checks whether y 2 = x v e mod N Does this prove response is from? 38 Does Fiat-Shamir Work? If everyone follows protocol, math works: Public: v = S 2 mod N to : x = r 2 mod N and y = r S e mod N verifies: y 2 = x v e mod N Can Trudy convince she is? If Trudy expects e = 0, she sends x = r 2 in msg 1 and y = r in msg 3 (i.e., follow the protocol) If Trudy expects e = 1, sends x = r 2 v 1 in msg 1 and y = r in msg 3 If chooses e {0,1} at random, Trudy can only trick with probability 1/2 39 13

Fiat-Shamir Facts Trudy can trick with probability 1/2, but after n iterations, the probability that Trudy can convince that she is is only 1/2 n Just like s cave! s e {0,1} must be unpredictable must use new r each iteration, or else If e = 0, sends r mod N in message 3 If e = 1, sends r S mod N in message 3 Anyone can find S given r mod N and r S mod N 40 Fiat-Shamir Zero Knowledge? Zero knowledge means that nobody learns anything about the secret S Public: v = S 2 mod N Trudy sees r 2 mod N in message 1 Trudy sees r S mod N in message 3 (if e = 1) If Trudy can find r from r 2 mod N, gets S But that requires modular square root If Trudy could find modular square roots, she could get S from public v Protocol does not seem to help to find S 41 ZKP in the Real World Public key certificates identify users No anonymity if certificates sent in plaintext ZKP offers a way to authenticate without revealing identities ZKP supported in MS s Next Generation Secure Computing Base (NGSCB), where ZKP used to authenticate software without revealing machine identifying data ZKP is not just pointless mathematics! 42 14

Best Authentication Protocol? It depends on The sensitivity of the application/data The delay that is tolerable The cost (computation) that is tolerable What crypto is supported (public key, symmetric key, ) Whether mutual authentication is required Whether PFS, anonymity, etc., are concern and possibly other factors 43 15

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback