Chapter eight: Authentication Protocols 2013 Term 2.

Slides:



Advertisements
Similar presentations
CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.
Advertisements

Chapter 10 Real world security protocols
CSC 474 Information Systems Security
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:
Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
CMSC 414 Computer (and Network) Security Lecture 21 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
CSE331: Introduction to Networks and Security Lecture 24 Fall 2002.
More on AuthenticationCS-4513 D-term More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.
EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
CMSC 414 Computer and Network Security Lecture 23 Jonathan Katz.
Protocols Part 3  Protocols 1.
CMSC 414 Computer (and Network) Security Lecture 24 Jonathan Katz.
Lecture 24 Cryptography CPE 401 / 601 Computer Network Systems slides are modified from Jim Kurose and Keith Ross and Dave Hollinger.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Strong Password Protocols
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
Part 3  Protocols 1 Part III: Protocols Part 3  Protocols 2 Protocol  Human protocols  the rules followed in human interactions o Example: Asking.
8-1Network Security Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity, authentication.
1 Lecture 14: Real-Time Communication Security real-time communication – two parties interact in real time (as opposed to delayed communication like )
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
Protocols Part 3  Protocols 1.
Chapter 9 Simple Authentication Protocols
Lecture 14 ISAKMP / IKE Internet Security Association and Key Management Protocol / Internet Key Exchange CIS CIS 5357 Network Security.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
Presented by: Suparita Parakarn Kinzang Wangdi Research Report Presentation Computer Network Security.
1 Security and Cryptography: basic aspects Ortal Arazi College of Engineering Dept. of Electrical & Computer Engineering The University of Tennessee.
1 Lecture 9: Cryptographic Authentication objectives and classification one-way –secret key –public key mutual –secret key –public key establishing session.
Upper OSI Layers Natawut Nupairoj, Ph.D. Department of Computer Engineering Chulalongkorn University.
Digital Signatures, Message Digest and Authentication Week-9.
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
1 Network Security Basics. 2 Network Security Foundations: r what is security? r cryptography r authentication r message integrity r key distribution.
CPS 290 Computer Security Network Tools Cryptography Basics CPS 290Page 1.
6 June Lecture 2 1 TU Dresden - Ws on Proof Theory and Computation Formal Methods for Security Protocols Catuscia Palamidessi Penn State University,
Cryptography 1 Crypto Cryptography 2 Crypto  Cryptology  The art and science of making and breaking “secret codes”  Cryptography  making “secret.
Authentication Issues and Solutions CSCI 5857: Encoding and Encryption.
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Authentication. Goal: Bob wants Alice to “prove” her identity to him Protocol ap1.0: Alice says “I am Alice” Failure scenario?? “I am Alice”
The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Authentication Protocols (I): Secure Handshake.
Network Security Continued. Digital Signature You want to sign a document. Three conditions. – 1. The receiver can verify the identity of the sender.
Chapter 4: Public Key Cryptography
Network Security and It’s Issues Presenter Prosanta Gope Advisor Prof. Tzonelih Hwang Quantum Information and Network Security Lab, NCKU,2015.
Identify Friend or Foe (IFF) Chapter 9 Simple Authentication protocols Namibia Angola 1. N 2. E(N,K) SAAF Impala Russian MIG 1 Military needs many specialized.
1 Authenticated Key Exchange Rocky K. C. Chang 20 March 2007.
1 Secure Key Exchange: Diffie-Hellman Exchange Dr. Rocky K. C. Chang 19 February, 2002.
Chapter 9 Simple Authentication Protocols Simple Security Protocol Authentication Protocols Authentication and TCP Chapter 9 Simple Authentication protocols.
Lesson Introduction ●Authentication protocols ●Key exchange protocols ●Kerberos Security Protocols.
Network Security and It’s Issues
Security Handshake Pitfalls. Client Server Hello (K)
Computer and Information Security
CPS 512 Distributed Systems
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
Protocol ap1.0: Alice says “I am Alice”
Basic Network Encryption
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
Chapter 8 roadmap 8.1 What is network security?
Presentation transcript:

Chapter eight: Authentication Protocols 2013 Term 2

Part 3  Protocols 2 Protocol Human protocols  the rules followed in human interactions  Example: Asking a question in class Networking protocols  rules followed in networked communication systems  Examples: HTTP, FTP, etc. Security protocol  the (communication) rules followed in a security application  Examples: SSL, IPSec, Kerberos, etc.

Part 3  Protocols 3 Protocols Protocol flaws can be very subtle Several well-known security protocols have significant flaws  Including WEP, GSM, and even IPSec Implementation errors can occur  Such as IE implementation of SSL Not easy to get protocols right…

Part 3  Protocols 4 Ideal Security Protocol Satisfies security requirements  Requirements must be precise Efficient  Small computational requirement  Small bandwidth usage, network delays… Not fragile  Works when attacker tries to break it  Works even if environment changes Easy to use and implement, flexible… Difficult to satisfy all of these!

Part 3  Protocols 5 ATM Machine Protocol 1. Insert ATM card 2. Enter PIN 3. Correct PIN? Yes? Conduct your transaction(s) No? Machine (eventually) eats card

Part 3  Protocols 6 Authentication Protocols

Part 3  Protocols 7 Authentication Alice must prove her identity to Bob  Alice and Bob can be humans or computers May also require Bob to prove he’s Bob (mutual authentication) Probably need to establish a session key May have other requirements, such as  Use only public keys  Use only symmetric keys  Use only hash functions

Part 3  Protocols 8 Authentication Authentication on a stand-alone computer is relatively simple  “Secure path” is an issue  Attacks on authentication software Authentication over a network is challenging  Attacker can passively observe messages  Attacker can replay messages  Active attacks possible (insert, delete, change)

Part 3  Protocols 9 Simple Authentication Alice Bob “I’m Alice” Prove it My password is “frank” Simple and may be OK for standalone system But insecure for networked system  Subject to a replay attack (next 2 slides)  Also, Bob must know Alice’s password

Part 3  Protocols 10 Authentication Attack Alice Bob “I’m Alice” Prove it My password is “frank” Trudy

Part 3  Protocols 11 Authentication Attack Bob “I’m Alice” Prove it My password is “frank” Trudy This is an example of a replay attack How can we prevent a replay?

Part 3  Protocols 12 Simple Authentication Alice Bob I’m Alice, my password is “frank” More efficient, but… … same problem as previous version

Part 3  Protocols 13 Better Authentication Alice Bob “I’m Alice” Prove it h(Alice’s password) Better since it hides Alice’s password  From both Bob and Trudy But still subject to replay

Part 3  Protocols 14 Challenge-Response To prevent replay, use challenge-response  Goal is to ensure “freshness” Suppose Bob wants to authenticate Alice  Challenge sent from Bob to Alice Challenge is chosen so that  Replay is not possible  Only Alice can provide the correct response  Bob can verify the response

Part 3  Protocols 15 Nonce To ensure freshness, can employ a nonce  Nonce == number used once What to use for nonces?  That is, what is the challenge? What should Alice do with the nonce?  That is, how to compute the response? How can Bob verify the response? Should we rely on passwords or keys?

Part 3  Protocols 16 Challenge-Response Bob “I’m Alice” Nonce h(Alice’s password, Nonce)  Nonce is the challenge  The hash is the response  Nonce prevents replay, ensures freshness  Password is something Alice knows  Bob must know Alice’s pwd to verify Alice

Part 3  Protocols 17 Generic Challenge-Response Bob “I’m Alice” Nonce Something that could only be Alice from Alice (and Bob can verify) In practice, how to achieve this? Hashed pwd works… Maybe encryption is better? Why?

Part 3  Protocols 18 Symmetric Key Notation Encrypt plaintext P with key K C = E(P,K) Decrypt ciphertext C with key K P = D(C,K) Here, we are concerned with attacks on protocols, not attacks on crypto So, we assume crypto algorithms secure

Part 3  Protocols 19 Authentication: Symmetric Key Alice and Bob share symmetric key K Key K known only to Alice and Bob Authenticate by proving knowledge of shared symmetric key How to accomplish this?  Must not reveal key, must not allow replay (or other) attack, must be verifiable, …

Part 3  Protocols 20 Authentication with Symmetric Key Alice, K Bob, K “I’m Alice” E(R,K)  Secure method for Bob to authenticate Alice  Alice does not authenticate Bob  So, can we achieve mutual authentication? R

Part 3  Protocols 21 Mutual Authentication? Alice, K Bob, K “I’m Alice”, R E(R,K) What’s wrong with this picture? “Alice” could be Trudy (or anybody else)!

Part 3  Protocols 22 Mutual Authentication Since we have a secure one-way authentication protocol… The obvious thing to do is to use the protocol twice  Once for Bob to authenticate Alice  Once for Alice to authenticate Bob This has got to work…

Part 3  Protocols 23 Mutual Authentication Alice, K Bob, K “I’m Alice”, R A R B, E(R A, K) E(R B, K) This provides mutual authentication… …or does it? See the next slide

Part 3  Protocols 24 Mutual Authentication Attack Bob, K 1. “I’m Alice”, R A 2. R B, E(R A, K) Trudy Bob, K 3. “I’m Alice”, R B 4. R C, E(R B, K) Trudy 5. E(R B, K)

Part 3  Protocols 25 Mutual Authentication Our one-way authentication protocol is not secure for mutual authentication  Protocols are subtle!  The “obvious” thing may not be secure Also, if assumptions or environment change, protocol may not be secure  This is a common source of security failure  For example, Internet protocols

Part 3  Protocols 26 Symmetric Key Mutual Authentication Alice, K Bob, K “I’m Alice”, R A R B, E(“Bob”,R A,K) E(“Alice”,R B,K) Do these “insignificant” changes help? Yes!

Part 3  Protocols 27 Public Key Notation Encrypt M with Alice’s public key: {M} Alice Sign M with Alice’s private key: [M] Alice Then  [{M} Alice ] Alice = M  {[M] Alice } Alice = M Anybody can do public key operations Only Alice can use her private key

Part 3  Protocols 28 Public Key Authentication Alice Bob “I’m Alice” {R} Alice R Is this secure? Trudy can get Alice to decrypt anything!  So, should have two key pairs

Part 3  Protocols 29 Public Key Authentication Alice Bob “I’m Alice” R [R] Alice Is this secure? Trudy can get Alice to sign anything!  Same a previous  should have two key pairs

Part 3  Protocols 30 Public Keys Generally, a bad idea to use the same key pair for encryption and signing Instead, should have…  …one key pair for encryption/decryption…  …and a different key pair for signing/verifying signatures

Part 3  Protocols 31 Session Key Usually, a session key is required  I.e., a symmetric key for a particular session  Used for confidentiality and/or integrity How to authenticate and establish a session key (i.e., shared symmetric key)?  When authentication completed, want Alice and Bob to share a session key  Trudy cannot break the authentication…  …and Trudy cannot determine the session key

Part 3  Protocols 32 Authentication & Session Key Alice Bob “I’m Alice”, R {R,K} Alice {R +1,K} Bob Is this secure?  Alice is authenticated and session key is secure  Alice’s “nonce”, R, useless to authenticate Bob  The key K is acting as Bob’s nonce to Alice No mutual authentication

Part 3  Protocols 33 Public Key Authentication and Session Key Alice Bob “I’m Alice”, R [R,K] Bob [R +1,K] Alice Is this secure?  Mutual authentication (good), but…  … session key is not secret (very bad)

Part 3  Protocols 34 Public Key Authentication and Session Key Alice Bob “I’m Alice”, R {[R,K] Bob } Alice {[R +1,K] Alice } Bob Is this secure? Seems to be OK Mutual authentication and session key!

Part 3  Protocols 35 Public Key Authentication and Session Key Alice Bob “I’m Alice”, R [{R,K} Alice ] Bob [{R +1,K} Bob ] Alice Is this secure? Seems to be OK  Anyone can see {R,K} Alice and {R +1,K} Bob

Part 3  Protocols 36 Perfect Forward Secrecy Consider this “issue”…  Alice encrypts message with shared key K and sends ciphertext to Bob  Trudy records ciphertext and later attacks Alice’s (or Bob’s) computer to recover K  Then Trudy decrypts recorded messages Perfect forward secrecy (PFS): Trudy cannot later decrypt recorded ciphertext  Even if Trudy gets key K or other secret(s) Is PFS possible?

Part 3  Protocols 37 Perfect Forward Secrecy Suppose Alice and Bob share key K For perfect forward secrecy, Alice and Bob cannot use K to encrypt Instead they must use a session key K S and forget it after it’s used Can Alice and Bob agree on session key K S in a way that ensures PFS?

Part 3  Protocols 38 Naïve Session Key Protocol Trudy could record E(K S, K) If Trudy later gets K then she can get K S  Then Trudy can decrypt recorded messages Alice, K Bob, K E(K S, K) E(messages, K S )

Part 3  Protocols 39 Perfect Forward Secrecy We use Diffie-Hellman for PFS Recall: public g and p  But Diffie-Hellman is subject to MiM  How to get PFS and prevent MiM? Alice, aBob, b g a mod p g b mod p

Part 3  Protocols 40 Perfect Forward Secrecy Session key K S = g ab mod p Alice forget s a, Bob forget s b So-called Ephemeral Diffie-Hellman Neither Alice nor Bob can later recover K S Are there other ways to achieve PFS? Alice: K, aBob: K, b E(g a mod p, K) E(g b mod p, K)

Part 3  Protocols 41 Mutual Authentication, Session Key and PFS Alice Bob “I’m Alice”, R A R B, [{R A, g b mod p} Alice ] Bob [{R B, g a mod p} Bob ] Alice  Session key is K = g ab mod p  Alice forgets a and Bob forgets b  If Trudy later gets Bob’s and Alice’s secrets, she cannot recover session key K

Part 3  Protocols 42 Timestamps A timestamp T is derived from current time Timestamps used in some security protocols  Kerberos, for example Timestamps reduce number of msgs (good)  Like a nonce that both sides know in advance “Time” is a security-critical parameter (bad) Clocks never exactly the same, so must allow for clock skew  creates risk of replay  How much clock skew is enough?

Part 3  Protocols 43 Public Key Authentication with Timestamp T Bob “I’m Alice”, {[T, K] Alice } Bob {[T +1, K] Bob } Alice Alice  Secure mutual authentication?  Session key?  Seems to be OK

Part 3  Protocols 44 Public Key Authentication with Timestamp T Bob “I’m Alice”, [{T, K} Bob ] Alice [{T +1, K} Alice ] Bob Alice  Secure authentication and session key?  Trudy can use Alice’s public key to find {T, K} Bob and then…

Part 3  Protocols 45 Public Key Authentication with Timestamp T Bob “I’m Trudy”, [{T, K} Bob ] Trudy [{T +1, K} Trudy ] Bob Trudy  Trudy obtains Alice-Bob session key K  Note: Trudy must act within clock skew

Part 3  Protocols 46 Public Key Authentication Sign and encrypt with nonce…  Secure Encrypt and sign with nonce…  Secure Sign and encrypt with timestamp…  Secure Encrypt and sign with timestamp…  Insecure Protocols can be subtle!

Part 3  Protocols 47 Public Key Authentication with Timestamp T Bob “I’m Alice”, [{T, K} Bob ] Alice [{T +1} Alice ] Bob Alice  Is this “encrypt and sign” secure? o Yes, seems to be OK  Does “sign and encrypt” also work here?

Part 3  Protocols 48 Authentication and TCP

Part 3  Protocols 49 TCP-based Authentication TCP not intended for use as an authentication protocol But IP address in TCP connection often used for authentication One mode of IPSec uses IP address for authentication This can cause problems

Part 3  Protocols 50 TCP 3-way Handshake Alice Bob SYN, SEQ a SYN, ACK a+1, SEQ b ACK b+1, data  Recall the TCP three way handshake  Initial SEQ numbers, SEQ a and SEQ b o Supposed to be random  If not… Acknowledges the synchronization request, SYN = synchronization ACK = Acknowledges

Part 3  Protocols 51 TCP Authentication Attack Alice Bob Trudy 1. SYN, SEQ = t (as Trudy) 2. SYN, ACK = t+1, SEQ = b 1 3. SYN, SEQ = t (as Alice) 4. SYN, ACK = t+1, SEQ = b 2 5. ACK = b 2 +1, data 5. …

Part 3  Protocols 52 TCP Authentication Attack Random SEQ numbers Initial SEQ numbers Mac OS X  If initial SEQ numbers not very random…  …possible to guess initial SEQ number…  …and previous attack will succeed

Part 3  Protocols 53 TCP Authentication Attack Trudy cannot see what Bob sends, but she can send packets to Bob, while posing as Alice Trudy must prevent Alice from receiving Bob’s packets (or else connection will terminate) If password (or other authentication) required, this attack fails If TCP connection is relied on for authentication, then attack can succeed Bad idea to rely on TCP for authentication

Part 3  Protocols 54 Zero Knowledge Proofs

Part 3  Protocols 55 Zero Knowledge Proof (ZKP) Alice wants to prove that she knows a secret without revealing any info about it Bob must verify that Alice knows secret  But Bob gains no info about the secret Process is probabilistic  Bob can verify that Alice knows the secret to an arbitrarily high probability An “interactive proof system”

Part 3  Protocols 56 Bob’s Cave Alice knows secret phrase to open path between R and S (“open sarsaparilla”) Can she convince Bob that she knows the secret without revealing phrase? P Q RS

Part 3  Protocols 57 Bob: “Alice come out on S side”  Alice (quietly): “Open sarsaparilla”  If Alice does not know the secret…  If Bob repeats this n times, then Alice (who does not know secret) can only fool Bob with probability 1/2 n  …then Alice could come out from the correct side with probability 1/2 P Q RS Bob’s Cave

Part 3  Protocols 58 Best Authentication Protocol? It depends on…  The sensitivity of the application/data  The delay that is tolerable  The cost (computation) that is tolerable  What crypto is supported (public key, symmetric key, …)  Whether mutual authentication is required  Whether PFS, anonymity, etc., are concern …and possibly other factors