Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena

Similar documents
Lecture 6.2: Protocols - Authentication and Key Exchange II. CS 436/636/736 Spring Nitesh Saxena. Course Admin

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Session key establishment protocols

Session key establishment protocols

Lecture 9. Authentication & Key Distribution

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Fall 2010/Lecture 32 1

CSC 474/574 Information Systems Security

Spring 2010: CS419 Computer Security

T Cryptography and Data Security

Authentication Handshakes

CS Computer Networks 1: Authentication

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Information Security CS 526

Applied Cryptography and Computer Security CSE 664 Spring 2017

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Outline. Login w/ Shared Secret: Variant 1. Login With Shared Secret: Variant 2. Login Only Authentication (One Way) Mutual Authentication

Key Agreement. Guilin Wang. School of Computer Science, University of Birmingham

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Identification Schemes

Course Administration

Security Handshake Pitfalls

Security Handshake Pitfalls

CIS 6930/4930 Computer and Network Security. Topic 6.2 Authentication Protocols

CSC 5930/9010 Modern Cryptography: Public Key Cryptography

Authentication in Distributed Systems

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Security Handshake Pitfalls

CSCI 667: Concepts of Computer Security. Lecture 9. Prof. Adwait Nadkarni

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

Lecture 9: Network Level Security IPSec

Lecture 15 PKI & Authenticated Key Exchange. COSC-260 Codes and Ciphers Adam O Neill Adapted from

L7: Key Distributions. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

Computer Networks & Security 2016/2017

UNIT - IV Cryptographic Hash Function 31.1

Security Handshake Pitfalls

Acknowledgments. CSE565: Computer Security Lectures 16 & 17 Authentication & Applications

Key Establishment. Chester Rebeiro IIT Madras. Stinson : Chapter 10

Cryptographic Protocols 1

Chapter 9: Key Management

Module: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

CS 494/594 Computer and Network Security

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Public Key Algorithms

CS 6324: Information Security More Info on Key Establishment: RSA, DH & QKD

Key Establishment and Authentication Protocols EECE 412

What did we talk about last time? Public key cryptography A little number theory

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Cryptographic Checksums

22-security.txt Tue Nov 27 09:13: Notes on Security Protocols , Fall 2012 Carnegie Mellon University Randal E.

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

CS Protocol Design. Prof. Clarkson Spring 2017

CS Protocols. Prof. Clarkson Spring 2016

KEY AGREEMENT PROTOCOLS. CIS 400/628 Spring 2005 Introduction to Cryptography. This is based on Chapter 13 of Trappe and Washington

Network Security (NetSec)

6. Security Handshake Pitfalls Contents

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

Cryptography and Network Security Chapter 13. Digital Signatures & Authentication Protocols

User Authentication Protocols Week 7

HOST Authentication Overview ECE 525

Station-to-Station Protocol

Chapter 10 : Private-Key Management and the Public-Key Revolution

Securing Internet Communication: TLS

Key Agreement Schemes

User Authentication Protocols

ECEN 5022 Cryptography

Lecture 3.4: Public Key Cryptography IV

Unit-VI. User Authentication Mechanisms.

Computer Networks. Wenzhong Li. Nanjing University

Ideal Security Protocol. Identify Friend or Foe (IFF) MIG in the Middle 4/2/2012

Lecture 15 Public Key Distribution (certification)

Computer Security 3e. Dieter Gollmann. Chapter 15: 1

Contents Digital Signatures Digital Signature Properties Direct Digital Signatures

CIS 4360 Secure Computer Systems Applied Cryptography

Entity authentication and symmetric key establishment

CSC/ECE 774 Advanced Network Security

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Lecture 1: Course Introduction

Overview. Cryptographic key infrastructure Certificates. May 13, 2004 ECS 235 Slide #1. Notation

Encryption. INST 346, Section 0201 April 3, 2018

1. Diffie-Hellman Key Exchange

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Message authentication

Kurose & Ross, Chapters (5 th ed.)

Cryptography Lecture 9 Key distribution and trust, Elliptic curve cryptography

Public Key Algorithms

Lecture 2 Applied Cryptography (Part 2)

CS 395T. Formal Model for Secure Key Exchange

Security and Privacy in Computer Systems. Lecture 7 The Kerberos authentication system. Security policy, security models, trust Access control models

User Authentication. Modified By: Dr. Ramzi Saifan

Real-time protocol. Chapter 16: Real-Time Communication Security

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

Auth. Key Exchange. Dan Boneh

Cryptology Part 1. Terminology. Basic Approaches to Cryptography. Basic Approaches to Cryptography: (1) Transposition (continued)

Password. authentication through passwords

Lecture 13. Public Key Distribution (certification) PK-based Needham-Schroeder TTP. 3. [N a, A] PKb 6. [N a, N b ] PKa. 7.

Transcription:

Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall 2009 Nitesh Saxena *Adopted from a previous lecture by Gene Tsudik Course Admin HW3 Problem 3 due Friday midnight HW4 will be posted over the weekend HW2 grades were posted last night Solutions to 1-3 have all been posted Midterm is in 2-weeks from now Study topics to be posted very soon A sample mid-term from previous year will be provided as we approach the mid-term 10/15/2009 Module 4 - Protocols: Authentication and Key Exchange 2

Outline of Today s lecture Today we try to put everything together Encryption (public-key/private-key) MACs Signing Key-Distribution Secure protocols (for secure communication) Authentication We studied it somewhat while talking about key distribution (Authenticated-) Key Exchange Designing secure protocols is hard we ll only be able to learn the basics today We ll use the board extensively today be prepared to take notes 10/15/2009 Module 4 - Protocols: Authentication and Key Exchange 3 Protocol A protocol is a set of rules using which two or more entities exchange messages It consists of messages and rounds 10/15/2009 Module 4 - Protocols: Authentication and Key Exchange 4

Messages and Rounds A message is a unit of information send from one entity to other A round is a basic unit of protocol time 1. Wake up because of 1. Alarm (or clock) 2. Intial start or 3. Receipt of message(s) from other(s) 2. Compute something 3. Send message(s) to other(s) 4. Repeat 2-3 if needed 5. Wait for message(s) or clock 10/15/2009 Module 4 - Protocols: Authentication and Key Exchange 5 Types of Adversaries Passive Eavesdrop, delay, drop, replay messages Active Eavesdrop, delay, drop, replay and modify messages 10/15/2009 Module 4 - Protocols: Authentication and Key Exchange 6

Model N parties Any party can initiate the protocol with any other party Each party can be running a number of sessions with any other party at any point 10/15/2009 Module 4 - Protocols: Authentication and Key Exchange 7 Adversary and Security Model Different session should use different keys Compromise of one session should not lead to the compromise of any other session Adversary is an active adversary and a part of the system Simply forwarding adversary is NOT considered an adversary against the protocol Why? Message authentication (m ) Key exchange 10/15/2009 Module 4 - Protocols: Authentication and Key Exchange 8

Properties of a Secure Protocol Correctness If entities taking part in the protocol behave honestly, (and also if there are no transmission errors) the protocol achieves its desired goal In other words, if everything works as expected, does the protocol satisfy its desired goal? Security No adversary can defeat the goal of the protocol (with a significantly high probability) Adversary could be passive or active, depending upon the application (we consider the latter) We won t consider denial-of-service attacks 10/15/2009 Module 4 - Protocols: Authentication and Key Exchange 9 Authentication Origin Authentication Verification of the origin/source of the message Entity Authentication Verification of the identity of the sender of the message We focus on the latter Authentication can be unilateral or mutual 10/15/2009 Module 4 - Protocols: Authentication and Key Exchange 10

Basis for Authentication Something you know e.g., a PIN, a password Something you have e.g., an access key or a card; a certificate; a smart card; an RFID tag Something you are e.g., biometric (such as fingerprint) 10/15/2009 Module 4 - Protocols: Authentication and Key Exchange 11 Weak Authentication PINs, Passwords provide weak authentication Security is based upon how hard the the pin/password is to guess Usually, the passwords are short and weak Vulnerable to dictionary attacks Widely used in practice Unix, kerberos, web emails, Protocol (A authenticates B using a password P, that A shares with B) 1. A B: Hi, this is A! 2. B A: r (random challenge) 3. A B: H(p,r) Problem? 10/15/2009 Module 4 - Protocols: Authentication and Key Exchange 12

Strong Authentication An entity authenticates to the other by proving the knowledge of a secret associated with that entity, without revealing anything meaningful about the secret itself Can be achieved through: Private/Public Key Encryption MAC Digital signatures Strong because the security reduces to the security of the underlying cryptographic primitive, which is assumed to be hard to break Our focus in the rest of the lecture We ll study both private-key and public-key based authentication 10/15/2009 Module 4 - Protocols: Authentication and Key Exchange 13 Symm. Encryption-based authentication Uses encryption to authenticate Alice to Bob (assuming Alice-Bob have established a shared secret K, say through Kerberos) A auth B 1. A B: Hi Bob, this is Alice! 2. B A: r (a challenge) 3. A B: Enc K (r,b) (response) Why not simply send Enc K (r) in msg 3? 10/15/2009 Module 4 - Protocols: Authentication and Key Exchange 14

Security of the previous protocol An attacker needs to come up with a valid response Impossible if encryption is secure r must not be re-used by Bob Why? 10/15/2009 Module 4 - Protocols: Authentication and Key Exchange 15 Freshness Assurance that message has not been used previously and originated within an acceptably recent timeframe Two methods: Nonce (Number used once) Timestamps 10/15/2009 Module 4 - Protocols: Authentication and Key Exchange 16

Nonces One-time random number We depended on B to make sure r is a good nonce Choose nonces randomly from a large space (such as 2 128 ) to avoid re-use and for unpredictability good RNG 10/15/2009 Module 4 - Protocols: Authentication and Key Exchange 17 Timestamps Inclusion of date/time-stamp in the message allows recipient to check it for freshness Need to be protected with cryptographic means A B: Enc K (T,B) Results in fewer messages and rounds But, requires synchronized clocks hard to achieve in practice! 10/15/2009 Module 4 - Protocols: Authentication and Key Exchange 18

Encryption-based Mutual Authentication (1) Run two copies of the uni-lateral authentication protocol 4 rounds We can piggyback common flows 1. A B: A, ra 2. B A: Enc K (rb, ra, A) 3. A B: Enc K (ra, rb) 10/15/2009 Module 4 - Protocols: Authentication and Key Exchange 19 Encryption-based Mutual Authentication (2) 1. A B: A, Enc K (T,B) 2. B A: Enc K (T+1,A) 10/15/2009 Module 4 - Protocols: Authentication and Key Exchange 20

Session Key Exchange with KDC Needham-Schroeder Protocol A -> KDC ID A ID B N 1 (Hello, I am Alice, I want to talk to Bob, I need a session Key and here is a random nonce identifying this request) KDC -> A E KA ( K ID B N 1 E KB (K ID A )) Encrypted(Here is a key, for you to talk to Bob as per your request N 1 and also an envelope to Bob containing the same key) A -> B E KB (K ID A ) (I would like to talk using key in envelope sent by KDC) B -> A E K (N 2 ) (OK Alice, But can you prove to me that you are indeed Alice and know the key?) A -> B E K (f(n 2 )) (Sure I can!) 10/15/2009 Module 4 - Protocols: Authentication and Key Exchange 21 Session Key Exchange with KDC Needham-Schroeder Protocol (corrected version with mutual authentication) A -> KDC: ID A ID B N 1 (Hello, I am Alice, I want to talk to Bob, I need a session Key and here is a random nonce identifying this request) KDC -> A: E KA ( K ID B N 1 E KB (TS1, K ID A )) Encrypted(Here is a key, for you to talk to Bob as per your request N 1 and also an envelope to Bob containing the same key) A -> B: E K (TS2,B), E KB (TS1, K ID A ) (I would like to talk using key in envelope sent by KDC; here is an authenticator) B -> A: E K (TS2+1,A) (OK Alice, here is a proof that I am really Bob) 10/15/2009 Module 4 - Protocols: Authentication and Key Exchange 22

Version 4 summary 10/15/2009 Module 4 - Protocols: Authentication and Key Exchange 23 MAC-based Authentication 1. A B: A, ra 2. B A: rb, HMAC K (rb, ra, A) 3. A B: HMAC K (ra, rb,b) Faster than enc-based protocols (computationally) 10/15/2009 Module 4 - Protocols: Authentication and Key Exchange 24

Public-key based authentication (Needham-Shroeder (NS) pk-based) Assuming public keys are distributed through CA(s) 1. A B: Enc pkb (ra, A) 2. B A: Enc pka (ra, rb) 3. A B: Enc pkb (rb) 10/15/2009 Module 4 - Protocols: Authentication and Key Exchange 25 Attack and fix on PK-based NS protocol Attack: Fix: 1. A B: Enc pkb (ra, A) 2. B A: Enc pka (ra, rb,b) 3. A B: Enc pkb (rb) 10/15/2009 Module 4 - Protocols: Authentication and Key Exchange 26

Signature-based authentication (assuming public keys are distributed through CA) A auth B A B: Hi Bob, this is Alice! B A: r (a challenge) A B: Sig SKa (r,b) (response) A auth B, B auth A (run two copies; piggyback common flows) A B: A, ra (could sign this too) B A: rb, Sig SKb (rb, ra, A) A B: Sig SKa (ra,rb,b) 10/15/2009 Module 4 - Protocols: Authentication and Key Exchange 27 Authenticated Key Exchange (AKE) Public-key operations are costly Why not 1. use public-key mutual authentication protocols to exchange a symmetric key 2. use this symmetric key with a symmetric encryption to secure subsequent communication 10/15/2009 Module 4 - Protocols: Authentication and Key Exchange 28

Security Notion for AKE Launch protocol between any pair Reveal all session key except one Try to distinguish the key of the unrevealed session from random This captures: the compromise of other sessions should not lead to the compromise of any other session 10/15/2009 Module 4 - Protocols: Authentication and Key Exchange 29 1. A B: A, ra, Enc PKb (K) (must sign this too??) 2. B A: rb, Sig SKb (rb, ra, A) 3. A B: Sig SKa (ra, rb, B) 4. A and B output K as the authenticated key Such a protocol can be instantiated using RSA encryption/signing The way SSL/SSH establishes key But, generally only the server authenticates to the client, not vice versa 10/15/2009 Module 4 - Protocols: Authentication and Key Exchange 30

X.509 Authentication One-way. 1. A{t A, r A, B, sgndata, E KUb [K ab ]} A B Establishes the following Identity of A and message was generated by A Message was intended for B Integrity and originality of message. 10/15/2009 Module 4 - Protocols: Authentication and Key Exchange 31 X.509 Authentication Two-way. 1. A{t A, r A, B, sgndata, E KUb [K ab ]} A 2. B{t B, r B, A, r A, sgndata, E KUa [K ba ]} B One-Way plus the above which establishes the following Identity of B and message was generated by B Message was intended for A Integrity and originality of message. 10/15/2009 Module 4 - Protocols: Authentication and Key Exchange 32

X.509 Authentication Three-way. 1. A{t A, r A, B, sgndata, E KUb [K ab ]} A 2. B{t B, r B, A, r B, sgndata, E KUa [K ba ]} B 3. A{r B } 10/15/2009 Module 4 - Protocols: Authentication and Key Exchange 33 Discrete Logarithm Assumption p, q primes such that q p-1 g is an element of order q and generates a group G q of order q x in Z q, y = g x mod p Given (p, q, g, y), it is computationally hard to compute x No polynomial time algorithm known p should be 1024-bits and q be 160-bits x becomes the private key and y becomes the public key 10/15/2009 Module 4 - Protocols: Authentication and Key Exchange 34

Diffie-Hellman (DH) Key Exchange 1. A B: K a = g a mod p 2. B A: K b = g b mod p 3. A outputs K ab = K b a 4. B outputs K ba = K a b Note K ab = K ba = g ab mod p 10/15/2009 Module 4 - Protocols: Authentication and Key Exchange 35 Security of DH key exchange No authentication of either party Secure only against a passive adversary Under the computational Diffie-Hellman assumption Given (g, g a,g b ), hard to compute g ab Not secure against an active attacker Man-in-the-middle attack 10/15/2009 Module 4 - Protocols: Authentication and Key Exchange 36

Authenticated DH Key Exchange aka: Station-to-Station Protocol 1. A B: K a = g a mod p 2. B A: Cert b, K b = g b mod p Sig SKb (K a, K b ) 3. A B: Cert a, Sig SKa (K b,k a ) 4. A outputs K ab = K b a 5. B outputs K ba = K a b 10/15/2009 Module 4 - Protocols: Authentication and Key Exchange 37 Summary Designing secure protocols is not easy Becomes harder in a concurrent setting, where there are multiple parties, executing multiple instances of the protocols simultaneously Becomes even harder as the number of parties increase; n- party or group setting Use the protocols that are well-studied and standardized While designing a protocol, consider Reflection attacks Replay attacks Eliminating any symmetry in the messages 10/15/2009 Module 4 - Protocols: Authentication and Key Exchange 38

Further Reading Unix password security http://www.ja.net/cert/belgers/unix-passwordsecurity.html MIT Kerberos site: http://web.mit.edu/kerberos/www/ Kerberos RFC: RFC-1510 X.509 page http://www.ietf.org/html.charters/pkixcharter.html Ten Risks of PKI - http://www.schneier.com/paperpki.html 10/15/2009 Module 4 - Protocols: Authentication and Key Exchange 39

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback