Data Security and Privacy. Topic 14: Authentication and Key Establishment

Similar documents
Information Security CS 526

Fall 2010/Lecture 32 1

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Session key establishment protocols

Session key establishment protocols

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Datasäkerhetsmetoder föreläsning 7

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Authentication in Distributed Systems

David Wetherall, with some slides from Radia Perlman s security lectures.

Cryptographic Protocols 1

Key Agreement. Guilin Wang. School of Computer Science, University of Birmingham

Introduction and Overview. Why CSCI 454/554?

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Security and Privacy in Computer Systems. Lecture 7 The Kerberos authentication system. Security policy, security models, trust Access control models

1. Diffie-Hellman Key Exchange

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

Authentication Handshakes

T Cryptography and Data Security

Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena

CSC 474/574 Information Systems Security

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

Course Administration

CS November 2018

Lecture 1: Course Introduction

CSCI 667: Concepts of Computer Security. Lecture 9. Prof. Adwait Nadkarni

Network Security Chapter 8

Spring 2010: CS419 Computer Security

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

CPSC 467b: Cryptography and Computer Security

Securing Internet Communication: TLS

Key Management and Distribution

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

From Coulouris, Dollimore and Kindberg Distributed Systems: Concepts and Design. Edition 4 Pearson Education 2005

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Auth. Key Exchange. Dan Boneh

CS 6324: Information Security More Info on Key Establishment: RSA, DH & QKD

CS 494/594 Computer and Network Security

Transport Level Security

CSC 774 Network Security

CSC/ECE 774 Advanced Network Security

Security Handshake Pitfalls

Security Handshake Pitfalls

Cryptography Lecture 9 Key distribution and trust, Elliptic curve cryptography

Outline. Login w/ Shared Secret: Variant 1. Login With Shared Secret: Variant 2. Login Only Authentication (One Way) Mutual Authentication

Security: Focus of Control. Authentication

Overview. SSL Cryptography Overview CHAPTER 1

Computer Security 3e. Dieter Gollmann. Chapter 15: 1

Cryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea

Real-time protocol. Chapter 16: Real-Time Communication Security

CS Computer Networks 1: Authentication

CIS 6930/4930 Computer and Network Security. Topic 6.2 Authentication Protocols

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

Acknowledgments. CSE565: Computer Security Lectures 16 & 17 Authentication & Applications

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ

Cryptography and Network Security

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Digital Signatures. Public-Key Signatures. Arbitrated Signatures. Digital Signatures With Encryption. Terminology. Message Authentication Code (MAC)

CIS 4360 Secure Computer Systems Applied Cryptography

EEC-682/782 Computer Networks I

Station-to-Station Protocol

(2½ hours) Total Marks: 75

Encryption. INST 346, Section 0201 April 3, 2018

Cryptographic Checksums

Internet security and privacy

Cryptography (Overview)

Authentication in real world: Kerberos, SSH and SSL. Zheng Ma Apr 19, 2005

Chapter 8. Network Security. Cryptography. Need for Security. An Introduction to Cryptography 10/7/2010

Cryptography and Network Security Chapter 10. Fourth Edition by William Stallings

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Cryptography and Network Security

Security: Focus of Control

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

Applied Cryptography and Computer Security CSE 664 Spring 2017

But where'd that extra "s" come from, and what does it mean?

Module: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls

CIS 6930/4930 Computer and Network Security. Final exam review

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

KALASALINGAM UNIVERSITY

1.264 Lecture 28. Cryptography: Asymmetric keys

Key distribution and certification

13/10/2013. Kerberos. Key distribution and certification. The Kerberos protocol was developed at MIT in the 1980.

Lecture 19: cryptographic algorithms

Cryptography and Network Security

CSE484 Final Study Guide

UNIT - IV Cryptographic Hash Function 31.1

Security issues: Encryption algorithms. Threats Methods of attack. Secret-key Public-key Hybrid protocols. CS550: Distributed OS.

CRYPTOGRAPHY AND NETWROK SECURITY-QUESTION BANK

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1

Lecture 13. Public Key Distribution (certification) PK-based Needham-Schroeder TTP. 3. [N a, A] PKb 6. [N a, N b ] PKa. 7.

Chapter 8. Network Security. Need for Security. An Introduction to Cryptography. Transposition Ciphers One-Time Pads

18733: Applied Cryptography Anupam Datta (CMU) Basic key exchange. Dan Boneh

Lecture 15 Public Key Distribution (certification)

Key Establishment. Chester Rebeiro IIT Madras. Stinson : Chapter 10

Authentication and Key Distribution

Transcription:

Data Security and Privacy Topic 14: Authentication and Key Establishment 1

Announcements Mid-term Exam Tuesday March 6, during class 2

Need for Key Establishment Encrypt K (M) C = Encrypt K (M) M = Decrypt K (C) Alice and Bob share a secret key K How to establish the shared key? How to refresh it (not a good idea to encrypt a lot of data with the same key) 3

Long-Term Key vs. Session Key Session key: temporary key, used for a short time period. Long-term key: used for a long term period, sometimes public and secret key pairs used to sign messages. Using session keys to: limit available cipher-text encrypted with the same key limit exposure in the event of key compromise avoid long-term storage of a large number of distinct secret keys create independence across communications sessions or applications 4

Key Transport vs. Key Agreement Key establishment: process to establish a shared secret key available to two or more parties; key transport: one party creates, and securely transfers it to the other(s). key agreement: key establishment technique in which a shared secret is derived by two (or more) parties 5

Key Pre-distribution vs. Dynamic Key Establishment Key establishment Key pre-distribution: established keys are completely determined a priori by initial keying material generally in the form of key agreement Dynamic shared key establishment: protocols that keys established between a fixed group of users varies in different sessions also known as session key establishment could be key transport or key agreement 6

Assumptions and Adversaries Assumption: Protocol messages are transmitted over open networks An adversary may Eavesdrop messages. Altering messages to help recover the key Inject messages into existing sessions Initiate one or more protocol execution (possibly simultaneously) and combine messages from one with another) 7

Effects of Key Compromise Perfect forward secrecy: compromise of long-term key does not compromise past session keys. Known-key attack: compromise of past session keys allows either a passive adversary to compromise future session keys, or impersonation by an active adversary in the future. 8

Basic Key Transport Protocol Assumes a long term symmetric key K shared between A and B Basic: new key is r A A B: E K (r A ) Prevents replay: new key is r A A B: E K (r A, t A, B), Where t A is a time-stamp 9

Basic Key Transport Protocol (cont.) Provides mutual entity authentication and key authentication Jointly control the key Does not provide perfect forward secrecy n B E K (r A, n A, n B, B) E K (r B, n B, n A, A) n A, n B are nounces, newly generated random numbers Key derived from r A and r B 10

Authenticated Key Exchange Protocol 2 (AKEP2) Setup: A and B share long-term keys K and K h K is a MAC (keyed hash function) h K is a pseudo-random permutation (a block cipher) establish key W = h K (r B ) r A (B, A, r A, r B ), h K (B, A, r A, r B ) (A, r B ), h K (A, r B ) 11

Properties Associated with Authentication Protocols Entity authentication: identity of a party, and aliveness at a given instant Data origin authentication: identity of the source of the data Implicit key authentication: one party is assured that no other party aside from a specifically identified second party may gain access to a particular secret key. Key confirmation: one party is assured that a second party actually has possession of a particular secret key. Explicit key authentication: both (implicit) key authentication and key confirmation hold. 12

Other Issues in Key Establishment Type of the authentication: unilateral vs. mutual Key freshness: whether the established key could be one used in previous sessions Key control: key distribution vs. key agreement Efficiency: communication (number of message and communication rounds) and computation (exponentiations and digital signatures) costs Use of trusted third party (TTP): on-line/off-line/no third party degree of trust required in a third party 13

Key Agreement among Multiple Parties For a group of N parties, every pair needs to share a different symmetric key What is the number of keys? What secure channel to use to establish the keys? How to establish such keys Symmetric Encryption - Use a central authority, a.k.a. (TTP). Asymmetric Encryption PKI. 14

Key Establishment by Means of Symmetric Encryption Every pair shares one long-term key Use TTP Each entity maintains long-term keys with TTP Easy to add and remove entities Each entity needs to store only one long-term secret key Trust in TTP, it can read all messages. Compromise of TTP leads to compromise of all communication channels. 15

Needham-Schroeder Shared-Key Protocol Parties: A, B, and trusted server T Setup: A and T share K AT, B and T share K BT Goal: Security: Mutual entity authentication between A and B; key establishment, Secure against active attacker & replay Efficiency: Minimize the involvement of T; T can be stateless Messages: A T: A, B, N A (1) A T: E[K AT ] (N A, B, k, E[K BT ](k,a)) (2) A B: E[K BT ] (k, A) (3) A B: E[k] (N B ) (4) A B: E[k] (N B -1) (5) What bad things can happen if there is no N A? Another subtle flaw in Step 3. 16

Kerberos Implements the idea of Needham- Schroeder protocol Kerberos is a network authentication protocol Provides authentication and secure communication Relies entirely on symmetric cryptography Developed at MIT: http://web.mit.edu/kerberos/www Used in many systems, e.g., Windows 2000 and later as default authentication protocol 17

Kerberos Overview One issue of Needham-Schroeder Needs [K AT ] to talk to any new service. Think about a login session with K AT derived from a password; either the password needs to be stored, or user needs to enter Kerberos solution: Separates TTP into an AS and a TGS. The client authenticates to AS using a long-term shared secret and receives a TGT [SSO]. Use this TGT to get additional tickets from TGS without resorting to using the shared secret. AS = Authentication Server SS = Service Server TGS = Ticket Granting Server TGT = Ticket Granting Ticket 18

Kerberos Protocol - 1 AS (authentication server) TGS (ticket-granting server) 1 2 3 C (client) 4 5 6 SS (server) 19

Kerberos Protocol 2 (Simplified) 1. C AS: TGS N C 2. AS C: {K C,TGS C} KAS,TGS {K C,TGS N C TGS} KAS,C (Note that the first part of message 2 is the ticket granting ticket (TGT) for the TGS) 3. C TGS: SS N C {K C,TGS C} KAS,TGS {C T 1 } KC,TGS 4. TGS C: {K C,SS C} KTGS,SS {K C,SS N C SS} KC,TGS (Note that the first part in message 4 is the ticket for the server S). 5. C SS: {K C,SS C} KTGS,SS {C T 2 } KC,SS 6. SS C: {T 3 } KC,SS 20

Kerberos Drawback Highly trusted TTP: KS Malicious KS can silently eavesdrop in any communication Single point of failure: Security partially depends on tight clock synchronization. Useful primarily inside an organization Does it scale to Internet? What is the main difficulty? 21

Key Establishment by Means of Public Key Encryption Often use public-key certificates Require off-line Trusted Third Party in the form of CA 22

Needham-Schroeder Public Key Protocol Setup: A and B both have each other s public key Goal: mutual entity authentication and authenticated key establishment E[P B ] (N A, A) E[P A ] (N A, N B ) E[P B ](N B ) P A and P B are public keys, N A and N B are nounces that can be used to derive a session key. 23

Lowe s Attack on Needham-Schroeder Public-key Protocol [95] The intruder can convince B that it is A, when A communicates with I. A I: E[P I ] (N A, A) A I: E[P A ] (N A, N B ) A I: E[P I ] (N B ) How to fix this? I B: E[P B ] (N A, A) I B: E[P A ] (N A, N B ) I B: E[P B ] (N B ) Fix: add B s name the second message 24

Public Keys and Trust Public Key: P A Secret key: S A Public Key: P B Secret key: S B How are public keys stored? How to obtain the public key? How does Bob know or trusts that P A is Alice s public key? 25

Distribution of Public Keys Public announcement: users distribute public keys to recipients or broadcast to community at large. Publicly available directory: can obtain greater security by registering keys with a public directory. Both approaches have problems, and are vulnerable to forgeries 26

Public-Key Certificates A certificate binds identity (or other information) to public key Contents digitally signed by a trusted Public-Key or Certificate Authority (CA) Can be verified by anyone who knows the public-key authority s public-key. For Alice to send an encrypted message to Bob, obtains a certificate of Bob s public key 27

Public Key Certificates 28

X.509 Certificates Part of X.500 directory service standards. Started in 1988 Defines framework for authentication services: Defines that public keys stored as certificates in a public directory. Certificates are issued and signed by an entity called certification authority (CA). Used by numerous applications: SSL, IPSec, SET Example: see certificates accepted by your browser 29

How to Obtain a Certificate? Define your own CA (use openssl or Java Keytool) Certificates unlikely to be accepted by others Obtain certificates from one of the vendors: VeriSign, Thawte, and many others 30

CAs and Trust Certificates are trusted if signature of CA verifies Chain of CA s can be formed, head CA is called root CA In order to verify the signature, the public key of the root CA should be obtain. TRUST is centralized (to root CA s) and hierarchical What bad things can happen if the root CA system is compromised? How does this compare with the TTP in Needham/Schroeder protocol? 31

Key Agreement: Diffie-Hellman Protocol Key agreement protocol, both A and B contribute to the key Setup: p prime and g generator of Z p *, p and g public. g a mod p g b mod p Pick random, secret (a) Compute and send g a mod p K = (g b mod p) a = g ab mod p Pick random, secret (b) Compute and send g b mod p K = (g a mod p) b = g ab mod p 32

Authenticated Diffie-Hellman g a mod n g c mod n g c mod n g b mod n Alice computes g ac mod n and Bob computes g bc mod n!!! C Alice, g a mod n, Sign Alice (g a mod n) C Bob, g b mod n, Sign Bob (g b mod n) 33

MTI gx mod p gy mod p k = (gy)apk b x = gya gbx = gya+bx k = (gx)bpk a y a and b are the private keys of A and B g a and g b are public keys of A and B Secure against passive attacks only Provides mutual (implicit) key authentication but neither key confirmation nor entity authentication 34

Station-to-Station (STS) g x mod p g y mod p, E k (Sign B (g y, g x )) E k (Sign A (g x, g y )) where k=(g x ) y mod p Provides mutual entity authentication 35

Secure communication 36

Transport Layer Security (TLS) Predecessors: Secure socket layer (SSL): Versions 1.0, 2.0, 3.0 TLS 1.0 (SSL 3.1); Jan 1999 TLS 1.1 (SSL 3.2); Apr 2006 TLS 1.2 (SSL 3.3); Aug 2008 Standard for Internet security Originally designed by Netscape Goal:... provide privacy and reliability between two communicating applications Two main parts Handshake Protocol Establish shared secret key using public-key cryptography Signed certificates for authentication Record Layer Transmit data using negotiated key, encryption function 37

Usage of SSL/TLS Applied on top of transport layer (typically TCP) Used to secure HTTP (HTTPS), SMTP, etc. One or both ends can be authenticated using public key and certificates Typically only the server is authenticated Client & server negotiate a cipher suite, which includes A key exchange algorithm, e.g., RSA, Diffie-Hellman, SRP, etc. An encryption algorithm, e.g., RC4, Triple DES, AES, etc. A MAC algorithm, e.g., HMAC-MD5, HMC-SHA1, etc. 38

Viewing HTTPS web sites Browser needs to communicate to the user the fact that HTTPS is used E.g., a golden lock indicator on the bottom or on the address bar Check some common websites When users correctly process this information, can defeat phishing attacks Security problems exist People don t know about the security indicator People forgot to check the indicator Browser vulnerabilities enable incorrect indicator to be shown Use confusing URLs, e.g., https:// homebanking.purdueefcu.com@host.evil.com/ Stored certificate authority info may be changed 39

Next Lecture How Crypto Fails in Real World 40

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback