Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Similar documents
Authentication Handshakes

CSC 474/574 Information Systems Security

Security Handshake Pitfalls

Security Handshake Pitfalls

Outline. Login w/ Shared Secret: Variant 1. Login With Shared Secret: Variant 2. Login Only Authentication (One Way) Mutual Authentication

CIS 6930/4930 Computer and Network Security. Topic 6.2 Authentication Protocols

Security Handshake Pitfalls

6. Security Handshake Pitfalls Contents

Security Handshake Pitfalls

CSCI 667: Concepts of Computer Security. Lecture 9. Prof. Adwait Nadkarni

CS 494/594 Computer and Network Security

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Password. authentication through passwords

L13. Reviews. Rocky K. C. Chang, April 10, 2015

10/1/2015. Authentication. Outline. Authentication. Authentication Mechanisms. Authentication Mechanisms. Authentication Mechanisms

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Real-time protocol. Chapter 16: Real-Time Communication Security

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

CSC/ECE 774 Advanced Network Security

CSC 774 Network Security

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Test 2 Review. (b) Give one significant advantage of a nonce over a timestamp.

Proceedings of the 10 th USENIX Security Symposium

Authentication Protocols. Outline. Who Is Authenticated?

CIS 6930/4930 Computer and Network Security. Topic 7. Trusted Intermediaries

Authentication in real world: Kerberos, SSH and SSL. Zheng Ma Apr 19, 2005

Authentication. Strong Password Protocol. IT352 Network Security Najwa AlGhamdi

Kurose & Ross, Chapters (5 th ed.)

CS 161 Computer Security

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Chapter 9 Public Key Cryptography. WANG YANG

Trusted Intermediaries

AIT 682: Network and Systems Security

Fall 2010/Lecture 32 1

Cryptographic Protocols 1

Ideal Security Protocol. Identify Friend or Foe (IFF) MIG in the Middle 4/2/2012

Spring 2010: CS419 Computer Security

CS Computer Networks 1: Authentication

Exercises with solutions, Set 3

User Authentication. Modified By: Dr. Ramzi Saifan

Information Security CS 526

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

One-Time-Password-Authenticated Key Exchange

ח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Strong Password Protocols

Session key establishment protocols

Introduction. Trusted Intermediaries. CSC/ECE 574 Computer and Network Security. Outline. CSC/ECE 574 Computer and Network Security.

Session key establishment protocols

CIS 4360 Secure Computer Systems Applied Cryptography

User Authentication. Modified By: Dr. Ramzi Saifan

Test 2 Review. 1. (10 points) Timestamps and nonces are both used in security protocols to prevent replay attacks.

ECE 646 Lecture 3. Key management

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

1. Diffie-Hellman Key Exchange

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to talk so much?!? Content taken from the following:

Encryption. INST 346, Section 0201 April 3, 2018

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to share so many secrets?!?

Outline Key Management CS 239 Computer Security February 9, 2004

Lecture 7 - Applied Cryptography

Key distribution and certification

13/10/2013. Kerberos. Key distribution and certification. The Kerberos protocol was developed at MIT in the 1980.

Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena

CIS 6930/4930 Computer and Network Security. Final exam review

Cryptographic Checksums

Authentication. Overview of Authentication systems. IT352 Network Security Najwa AlGhamdi

User Authentication Protocols

Datasäkerhetsmetoder föreläsning 7

Cryptography and Network Security

Security: Focus of Control. Authentication

1 Identification protocols

T Cryptography and Data Security

CS 161 Computer Security

CS 161 Computer Security

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

AIT 682: Network and Systems Security

Security and Privacy in Computer Systems. Lecture 7 The Kerberos authentication system. Security policy, security models, trust Access control models

CPSC 467b: Cryptography and Computer Security

Cryptography (Overview)

What did we talk about last time? Public key cryptography A little number theory

CSCE 813 Internet Security Kerberos

Computer Networks. Wenzhong Li. Nanjing University

User Authentication Protocols Week 7

Digital Signatures. Public-Key Signatures. Arbitrated Signatures. Digital Signatures With Encryption. Terminology. Message Authentication Code (MAC)

Security: Focus of Control

CSC 8560 Computer Networks: Network Security

CNT4406/5412 Network Security

5. Authentication Contents

Authenticating People and Machines over Insecure Networks

(2½ hours) Total Marks: 75

Network Security Chapter 8

CS3235 Seventh set of lecture slides

Identification Schemes

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ

Transcription:

CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1

Security Handshake Pitfalls Login only Mutual authentication Integrity/encryption after authentication Nonce types Picking random numbers 2

Security Protocol An agreement between communication parties about the process and the format of security bootstrap, authentication, key establishment, encryption/hashing algorithm and parameter negotiation, etc. Typically include: - Authentication handshake - Session key negotiation, algorithm/parameter negotiation - Data encryption and/or integrity protection 3

Security Bootstrap Shared secret: Password (for human users) Pre-shared key (between firewalls) Ticket by KDC (among a large number of participates) Public key: Manually configured Certificate by CA 4

Login Only: A Bad Idea Alice sends name and password in clear (across network) to Bob Bob verifies name and password and communication proceeds 5

Login Only: A Better Idea Using Shared Secret (1) f(k,r) can be K{R} or h(k,r) Authentication is one way: impersonation of Bob, offline password guessing, database reading How to encrypt subsequent conversation? 6

Login Only: A Better Idea Using Shared Secret (2) Problems: same as the previous one Requires reversible cryptography (hash will not work) If R is a recognizable number, this protocol does mutual authentication Can make R recognizable but with limited lifetime, e.g., timestamp. It however requires clock synchronization 7

Login Only: A Better Idea Using Shared Secret (3) Advantages: It can be easily added to an existing protocol More efficient: it saves two message exchanges Bob is stateless Problems: Replay attack (single server, multiple servers) Reset clock attack 8

Login Only: A Better Idea Using Shared Secret (4) Same as the previous one, but using a hash Why transmit timestamp in the clear? 9

Login Only: A Better Idea Using PKC (1) Implications: Compromise of Bob's database will not allow attacker to impersonate Alice Attacker may be able to trick Alice into signing anything 10

Login Only: A Better Idea Using PKC (2) Implications: Compromise of Bob's database will not allow attacker to impersonate Alice Attacker may be able to trick Alice into decrypting anything 11

Mutual Authentication (1) Problem: inefficient 12

Mutual Authentication (2) Optimized Implications: More efficient Subject to reflection attack: easy to obtain chosen plaintext 13

Reflection Attack Trudy opens 1st session to Bob Trudy opens 2nd session to Bob in order to get information needed to complete 1st session 14

Reflection Attack (Cont d) Solution: Alice and Bob should not do exactly the same thing: different keys, different challenges Different keys: have Bob encrypt with KAlice-Bob and Alice encrypt with KAlice-Bob+1, etc. Different challenges: initiator (Alice) sends odd R, responder (Bob) sends even R, etc. 15

Mutual Authentication (3) Less Optimized Implications: One "extra" message and Trudy cannot obtain chosen plaintext Rule: the initiator should be the first to prove its identity (the assumption is that the initiator is more likely the bad guy) 16

Mutual Authentication (4) Implications: How to obtain public keys? Store Bob s public key encrypted with Alice s password Store Bob s public key certificate signed by Alice 17

Mutual Authentication (5) Implications: Can be easily added to existing challenge/response protocols Alice and Bob must encrypt different things Clock synchronization: time is now security-critical Reflection attack 18

Integrity/Encryption After Authentication How to establish a session key during authentication? By shared secret By two-way public key By one-way public key 19

Shared Secret After this authentication: Can we use K{R+1} as the shared session key? How about K XOR R, K{K+R}, K+R{R}, h{k R}? In general, a good session key is different for each session unguessable by attacker 20

Two Way Public Key Alice and Bob each has a public/private key pair How about Alice picks a random R, and sends {R}Bob to Bob - Trudy can impersonate Alice How about Alice sends [{R}Bob]Alice to Bob - Trudy can obtain R by overrunning Bob and decrypt old messages Alice sends Bob [{R1}Bob]Alice, Bob sends Alice [{R2}Bob]Alice, and the session key is R = R1 XOR R2 - Trudy needs to overrun both Alice and Bob Diffie-Hellman key establishment: Alice sends Bob [g R1 mod p]alice, Bob sends Alice [g R2 mod p]bob, and the session key is R = g R1R2 mod p - Doesn t help even if Trudy overruns both Alice and Bob 21

One Way Public Key Only Server Bob has a public/private key pair, Client Alice won t bother having keys and certificate: SSL Alice picks a random R, and sends {R}Bob to Bob - Trudy can decrypt old messages by overrunning Bob Diffie-Hellman key establishment: Alice sends Bob g R1 mod p, Bob sends Alice [g R2 mod p]bob, and the session key is R = g R1R2 mod p Trudy can impersonate Alice in either case 22

Nonce Types Nonce: a quantity used only once - Large random number: unguessable, unpredictable, non-reuse w.h.p., makes the best nonce - Timestamp: requires clock synchronization - Sequence number: needs to maintain state unpredictability is important unpredictability is not required 23

Picking Random Numbers Different applications require different types of random numbers A common approach for cryptographic operations: pseudorandom number generator - seed value is critical - common mistakes: seed is from a small space, hashing the current time when a random value is needed, divulging the seed value 24

Authentication Protocol Checklist Authentication protocols protect against eavesdropping impersonation database reading message modification combinations of the above 25

Reading Assignment [Kaufman] Chapter 11 26

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback