Authenticating People and Machines over Insecure Networks

Similar documents
Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Key Establishment and Authentication Protocols EECE 412

Password Authenticated Key Exchange by Juggling

Cryptographic Protocols 1

Lecture Notes 14 : Public-Key Infrastructure

Test 2 Review. 1. (10 points) Timestamps and nonces are both used in security protocols to prevent replay attacks.

Test 2 Review. (b) Give one significant advantage of a nonce over a timestamp.

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Password. authentication through passwords

Authentication and Key Distribution

CIS 4360 Secure Computer Systems Applied Cryptography

Public-Key Infrastructure NETS E2008

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

Auth. Key Exchange. Dan Boneh

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Chapter 9: Key Management

CS 161 Computer Security

Information Security CS 526

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to share so many secrets?!?

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

10/1/2015. Authentication. Outline. Authentication. Authentication Mechanisms. Authentication Mechanisms. Authentication Mechanisms

Lecture 15 PKI & Authenticated Key Exchange. COSC-260 Codes and Ciphers Adam O Neill Adapted from

Decentralized User Authentication in a Global File System

Spring 2010: CS419 Computer Security

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Verteilte Systeme (Distributed Systems)

Authentication. Strong Password Protocol. IT352 Network Security Najwa AlGhamdi

Diffie-Hellman. Part 1 Cryptography 136

1 Identification protocols

CS 425 / ECE 428 Distributed Systems Fall 2017

ECEN 5022 Cryptography

One-Time-Password-Authenticated Key Exchange

CS 161 Computer Security

Number Theory and RSA Public-Key Encryption

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Ideal Security Protocol. Identify Friend or Foe (IFF) MIG in the Middle 4/2/2012

ICS 180 May 4th, Guest Lecturer: Einar Mykletun

ONE IMPLEMENTATION OF A PROTOCOL FOR GENERATION AND DISTRIBUTION OF CRYPTOGRAPHIC KEYS

Lecture 15 Public Key Distribution (certification)

Fall 2010/Lecture 32 1

Group Key Establishment Protocols

CMSC 414 S09 Exam 2 Page 1 of 6 Name:

User Authentication. Modified By: Dr. Ramzi Saifan

Cryptography and Network Security

Introduction to Cryptography. Ramki Thurimella

1. Diffie-Hellman Key Exchange

Strong Password Protocols

ECE 646 Lecture 3. Key management

Session key establishment protocols

Session key establishment protocols

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

CS Computer Networks 1: Authentication

Overview. Terminology. Password Storage

Cryptographic Checksums

Symmetric Encryption 2: Integrity

Applied Cryptography and Computer Security CSE 664 Spring 2017

CS 161 Computer Security

Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena

Certificateless Public Key Cryptography

Lecture 13. Public Key Distribution (certification) PK-based Needham-Schroeder TTP. 3. [N a, A] PKb 6. [N a, N b ] PKa. 7.

UNIT - IV Cryptographic Hash Function 31.1

Key management. Pretty Good Privacy

Hash Proof Systems and Password Protocols

User Authentication. Modified By: Dr. Ramzi Saifan

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Proceedings of the 10 th USENIX Security Symposium

Outline Key Management CS 239 Computer Security February 9, 2004

Distributed Systems Principles and Paradigms

Lecture 7 - Applied Cryptography

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Public-key Cryptography: Theory and Practice

Lecture 2 Applied Cryptography (Part 2)

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to talk so much?!? Content taken from the following:

Overview. Cryptographic key infrastructure Certificates. May 13, 2004 ECS 235 Slide #1. Notation

Network Security (NetSec)

Kerberos and Public-Key Infrastructure. Key Points. Trust model. Goal of Kerberos

Crypto meets Web Security: Certificates and SSL/TLS

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Key Management and Distribution

CSC/ECE 774 Advanced Network Security

Network Working Group. Category: Standards Track September The SRP Authentication and Key Exchange System

PROTECTING CONVERSATIONS

Authentication in Distributed Systems

L7: Key Distributions. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

1. Out of the 3 types of attacks an adversary can mount on a cryptographic algorithm, which ones does differential cryptanalysis utilize?

ECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

Distributed Access Control. Trust Management Approach. Characteristics. Another Example. An Example

Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls

CS Protocols. Prof. Clarkson Spring 2016

18-642: Cryptography 11/15/ Philip Koopman

Overview of Authentication Systems

Key Agreement Schemes

The Tenex password scheme

Key Management and Distribution

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

The Secure Shell (SSH) Protocol

Transcription:

Authenticating People and Machines over Insecure Networks EECE 571B Computer Security Konstantin Beznosov

authenticating people

objective Alice The Internet Bob Password= sesame Password= sesame! authenticate Alice to Bob over insecure network 3

Alice simplistic approach (attempt #1) Alice, x Ok Bob 4

Alice general challenge-response protocol Alice, noncealice challengebob Bob responsealice password password responsealice = f(challengebob, password) How can it be attacked? What else? offline dictionary attack on eavesdropped messages! plaintext-equivalent! 5

desirable properties! mutual authentication! session key! resistant to dictionary attacks! server compromise does not make it easy to find password! password compromise does not lead to revealing past session keys (forward secrecy)! session key compromise does not lead to password compromise! does not take long 6

another view of PAKE a means of bootstraping a common cryptographic key from the (essentially) minimal set up assumption of a lowentropy, shared secret 7

Alice attempt #2 Alice, Epassword(K) Bob EK(Terminal type:) password password K -- random session key generated by Alice How can it be attacked? What else? offline dictionary attack on eavesdropped message from Bob! replay attacks 8

Encrypted Key Exchange (EKE) Alice, P{E A } P{E A {K AB }} Alice K AB {C A } K AB {C A, C B } Bob K AB {C B } plain text for encryption with password P must look random

more on EKE! assumptions! encryption must not leak any useful information! for all P, P -1 {P{EA}} must appear a valid public key! strengthening EKE! what if a session key KAB has been recovered?! SAB = f(sa, SB) 10

EKE with Diffie-Hellman Alice, P{g a mod p} P{g b mod p}, C B Alice (K AB = g ab mod p) K AB {C A, C B } Bob K AB {C A } Why are g a and g b encrypted?

desirable properties! mutual authentication! session key! resistant to dictionary attacks! server compromise does not make it easy to find password! password compromise does not lead to revealing past session keys (forward secrecy)! session key compromise does not lead to password compromise! does not take long 12

EKE properties mutual authentication session key resistant to dictionary attacks - server compromise does not make it easy to find password - password compromise does not lead to revealing past session keys (forward secrecy) session key compromise does not lead to password compromise - does not take long - public key crypto is expensive 13

Asymmetric Key Exchange (AKE) & Secure Remote Password (SRP) Protocol

AKE/SRP features and idea! generalized form of a class of verifier-based protocols! no plaintext-equivalence! does not encrypt protocol flows idea each party! computes a secret! applies one-way function to it to generate a verifier! sends its verifier to the other party! both parties generate session key from secrets and verifies 15

SRP notation

SRP protocol To establish a password P with Bob, Alice picks a random salt s, and computes x and v. Provides Bob with s and v. Alice Bob v = g x S = g ab+bux

SRP demo http://srp.stanford.edu/demo/ 18

optimizing SRP message rounds original optimized one-way authentication optimized 19

SRP properties mutual authentication session key resistant to dictionary attacks server compromise does not make it easy to find password password compromise does not lead to revealing past session keys (forward secrecy) session key compromise does not lead to password compromise does not take long - public key crypto is expensive 20

Decentralized User Authentication in a Global File System

architecture SFS Clients Secure Network Connections ACLenabled File Server Agents Local Auth Server Remote Auth Servers 23

Goals Authenticate users to access the file system Support remote administrative domains Use only local information at access time Avoid certificates

Why not certificates? Complicated infrastructure Certificate chain hard to compute (e.g., SDSI) Or inflexible trust structure (e.g., VeriSign) Overkill for a file system?

SFS Servers Each server has a public key Key part of the name ( self-certifying ) mit.edu,anb726muxau6phtk3zu3nq4n463mwn9a Use key to authenticate server and set up a secure connection Connection provides confidentiality & integrity

Public keys are explicit Always together with the name No PKI necessary Self-Certifying Names Avoids organizational and technical issues Keys are obtained out-of-band Perhaps falling back on people

Authentication Servers One server per administrative domain Identified by self-certifying hostname Authenticate users Unix passwords, public keys, SRP, Manage local names and groups Export user and group records to remote servers

Groups Defined within an administrative domain Has a list of members and a list of owners Each user may define their own groups E.g. alice.friends Members/owners can be remote or local

Group members Member type Local user Local group Remote user Example U=beznosov G=beznosov.571B-students U=billg@microsoft.com,wxyweq Remote group G=faculty@cs.ubc.ca,r34qduk Public key P=d43dft5tr50lkxsdre42

Group members Local users & groups As defined by the authentication server Public key hashes Allow ad-hoc users Protect privacy Remote users & groups Retrieved from remote servers Authenticity protected by self-certifying name

membership graph example Level 0 g1 g2 Level 1 u1 p1 g3 u2 g4 Level 2 p2 p3 p4 u3 Level 3 p5 32

Group Caching Group definitions may be distributed on many servers Each authentication server resolves and caches entire group membership Cache ensures all necessary information is locally available at time of access Though it may be out of date

Resolving Membership Expand group names Query remote servers for group & user definitions Recursively query any new remote names Cache updated every hour Use version numbers to send deltas

Freshness Eventual consistency Use out-of-date data for an hour Problems Longer if server unavailable Revocation Easy to revoke users (with a delay of 1 hour) Hard to revoke server keys

Scalability All relevant group members cached on local server students@berkeley.edu may be large registered-voters@gov.bc.ca wouldn t work It would work with certificates Limit members to 1,000,000 to prevent DOS Most sharing groups are small 571B-students ece-registered_students

ACLs Each file and directory has an ACL Stored in first 512 bytes Lists local users and groups and access rights Read, write, modify ACL Remote names and public keys have to be indirected through a group Save on space Easier to change membership user record in ACL User Name ID GID Version Public Key Privileges SRP Information Audit String group record in ACL Group Name Owners ID Members Version Audit String

What did we lose? Human-readable namespace Key management/revocation Offline operation Scalability Certificates Revisited Are these not important for a global FS?

credits These slides incorporate parts of the following:! Decentralized User Authentication in a Global File System presentation slides from CS294-4, Stanford, N. Borisov, 2003-10-06.! The Secure Password-Based Authentication Protocol by Jeong Yunkyoung.! Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attack, Bellovin and Merritt (IEEE S&P 1992).! The Secure Remote Password Protocol, T. Wu (NDSS 1998). 39

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback