OTR AKE Protocol.

Slides:

Advertisements

Similar presentations

Oct 28, 2004WPES Off-the-Record Communication, or, Why Not to Use PGP Nikita Borisov Ian Goldberg Eric Brewer.

Advertisements

CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Off-the-Record Communication, or, Why Not To Use PGP

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.

Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.

More on AuthenticationCS-4513 D-term More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.

Slide 1 Vitaly Shmatikov CS 378 Key Establishment Pitfalls.

Key Distribution CS 470 Introduction to Applied Cryptography

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

1 Lecture 18: Security issues specific to security key management services –privacy –integrity/authentication –nonrepudiation/plausible deniability.

Chapter 31 Network Security

31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

May 2002Patroklos Argyroudis1 A crash course in cryptography and network security Patroklos Argyroudis CITY Liberal Studies.

1 Lecture 14: Real-Time Communication Security real-time communication – two parties interact in real time (as opposed to delayed communication like )

Security protocols  Authentication protocols (this lecture)  Electronic voting protocols  Fair exchange protocols  Digital cash protocols.

Using Cryptography for Network Security Common problems: –Authentication - A and B want to prove their identities to one another –Key-distribution - A.

Presented by: Suparita Parakarn Kinzang Wangdi Research Report Presentation Computer Network Security.

1 Needham-Schroeder A --> S: A,B, N A S --> A: {N A,B,K AB,{K AB,A} KBS } KAS A --> B:{K AB,A} KBS B --> A:{N B } KAB A --> B:{N B -1} KAB.

Cryptography 1 Crypto Cryptography 2 Crypto  Cryptology  The art and science of making and breaking “secret codes”  Cryptography  making “secret.

Using Cryptography for Network Security Common problems: –Authentication - A and B want to prove their identities to one another –Key-distribution - A.

31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

14-1 Last time Internet Application Security and Privacy Basics of cryptography Symmetric-key encryption.

COMP 424 Computer Security Lecture 09 & 10. Protocol ● An orderly sequence of steps agreed upon by two or more parties in order to accomplish a task ●

Ch 13 Trustworthiness Myungchul Kim

1 Authenticated Key Exchange Rocky K. C. Chang 20 March 2007.

Fall 2006CS 395: Computer Security1 Key Management.

Database Management Systems, 3ed, R. Ramakrishnan and J. Gehrke1 Database architecture and security Workshop 4.

Network Security Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography (confidentiality) 8.3 Message integrity 8.4 End-point authentication.

25-1 Last time □ Firewalls □ Attacks and countermeasures □ Security in many layers ♦ PGP ♦ SSL ♦ IPSec.

Cryptography CS 555 Topic 34: SSL/TLS.

Distributing a Symmetric FMIPv6 Handover Key using SEND

Computer Communication & Networks

Outline Designing secure protocols Key exchange protocols

Public Key Encryption Systems

A Wireless LAN Security Protocol

Authenticated Key Exchange

Basic Network Encryption

Information Security message M one-way hash fingerprint f = H(M)

NET 311 Information Security

MAC: Message Authentication Code

Public Key Infrastructure

Man in the Middle Attacks

Strong Password Protocols

Security through Encryption

Kerberos Kerberos is an authentication protocol for trusted hosts on untrusted networks.

OTR: Off-the-record Communication

Practical Aspects of Modern Cryptography

CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9

Protocol ap1.0: Alice says “I am Alice”

Strong Password Protocols

Security Properties Straw Polls

Key Establishment Protocols ~

CDK: Chapter 7 TvS: Chapter 9

Handbook of Applied Cryptography - CH11, from 11.5~11.8

Basic Network Encryption

Public – Private Key Cryptography

Electronic Payment Security Technologies

Public Key Encryption Systems

Outline A. Perrig, R. Szewczyk, V. Wen, D. Culler, and J. D. Tygar. SPINS: Security protocols for sensor networks. In Proceedings of MOBICOM, 2001 Sensor.

Outline Designing secure protocols Basic protocols Key exchange

One-way Hash Function Network Security.

Chapter 8 roadmap 8.1 What is network security?

ITIS 6200/8200 Chap 5 Dr. Weichao Wang.

Key Exchange With Public Key Cryptography

Presentation transcript:

OTR AKE Protocol

OTR Data Protocol

Security Properties Authentication: Public keys and signatures Integrity: MACs Perfect Forward Secrecy: Constant re-keying Deniability Weak Deniability: Shared secrets Strong Deniability: Malleable encryption

Found Attacks Version Rollback Attack Strong Deniablity Attack An attacker may arbitrarily set the version of OTR. Strong Deniablity Attack An attacker with strong network control may disable the strong deniability property. Authentication Failure Alice may be convinced to commit to an AKE key exchange not knowing who she is speaking with. Message Integrity Attack An intruder may arbitrarily alter a message.

Strong Deniability Attack invariant "Strong Deniability" forall a: PrincipalId do forall b: PrincipalId do forall i: IntruderId do int[i].mac_keys[a][b].k_A >= 0 & int[i].mac_keys[b][a].k_B >= 0 -> int[i].mac_keys[a][b].k_A = pri[a].c[b].k_ours - 2 & int[i].mac_keys[b][a].k_B = pri[a].c[b].k_theirs - 1 end end;

Strong Deniability Attack An intruder may replace published MAC keys

Authentication Failure Problem: Bob never makes it clear he thinks he is talking to Alice

Authentication Failure Bob believes he is talking to Mallory Alice believes she is talking to Bob

Authentication Failure Bob believes he is talking to Mallory Alice believes she is talking to Bob After receiving the third message, Alice commits to a successful key exchange with Bob Bob will think the exchange failed with Mallory

Message Integrity Attack Re-keying in OTR: Alice Bob

Message Integrity Attack Re-keying in OTR: Alice Bob

Message Integrity Attack Re-keying in OTR: Alice Bob

Message Integrity Attack Re-keying in OTR: Alice Bob

Message Integrity Attack Mallory blocks a message containing published MAC keys Mallory uses published keys to re-send a modified message to Bob. Bob thinks it was sent before his message was received. Negative feature interaction occurring between forward secrecy, strong deniability

Message Integrity Attack The Official Response: ... Good call on this one. Bizarrely, it doesn't turn out to be a security hole in the deployed software because there's a bug in it. (!) The deployed software only publishes MAC keys that were used to receive messages, not ones on messages it sent. This is safe, because it knows for sure that it'll never trust a MAC key that it's already published ... - OTR Author Ian Goldberg