Network Security Tutorial-14 Design Fundamentals IPSEC, KERBEROS ET-IDA-082 Tutorial-14 IPSEC, KERBEROS 15.06.2018, v4 Prof. W. Adi

IPSEC: Users A and B are using a simplified IPSEC IKE system in aggressive mode according to Fig. 1. Assuming that : A=1, B=0, CP=5, IC= 1, RC= 2, a= 13, b= 11, RA= 4, RB= 7 Design a Diffie-Hellmann key exchange system over GF(25) using p(x) = x5 + x4 + x3 + x + 1 as a field modulus assume the secret keys for users A and B as a=21, b=17 respectively. Compute a primitive element g and the common key gab as a binary vector in GF(25). Compute the common session key as K = h(IC|RC|gab mod p|RA|RB) Assuming the hash function h is defined as the least significant digit of x2 mod 97 that is: h(x) = (x2 mod 97 ) mod 10 (see also all parameters on Fig 1.) (show all necessary computations) 4. Compute SKEYID SKEYID = h(RA| RB|gab mod p(x)) . (show all necessary computations in your solution!) (| stands for concatenation) 5. Compute the signature of B assuming the proof to be a secret key signature by double hashing as follows: proofB = h [ h(SKEYID |gab|IC|RC|CP|“Bob”) |KBob] , where KBob =9 is a secret signing key of Bob appended to the hash value.

IKE Phase 1: Public Key Signature (Aggressive Mode) User A Alice User B Bob IC, “Alice”, ga mod p, RA, CP IC,RC, “Bob”, RB, gb mod p, CS, proofB IC,RC, proofA Session key= K CP = 5=crypto proposed DHGF= Diffie-Hellman Key exchange over GF(25) p(x) = x5 + x4 + x3 + x + 1 as field modulus, a=21, b=17 CS = crypto selected = 1 IC = initiator “cookie” = 0 RC = responder “cookie”= 1 Alice = 1 , RA= 4, Bob = 0 , RB= 7 K = h(IC|RC|gab mod p(x)|RA|RB) Assume h(X) = X2 mod 97 mod 10 . SKEYID = h(RA| RB|gab mod p(x)) proofB = h [ h(SKEYID |gab|IC|RC|CP|“Bob”) |KBob] Fig. 1

Please check computations consistency Solution: Primitive as 25-1=31= prime, all non-zeo and not 1elements have order 31, element 1 has order =1, => x= primitive DH setup: User A: a= 21 , Ya = α21 =( x21) = = x16 . x5 = (x4 + x3 )(x4 + x3 + x + 1) = 1 + x4 = 10001 User B: Xb= 17 , Yb = α17 =( x17) = x16. x = x5 + x4 = x3 + x + 1 = 01011 Public directory GF(25) α=(x), p(x) = x5 + x4 + x3 + x + 1 Ya = 01111 Yb = 11110 4. Compute the polynomial and binary pattern for the users A and B shared key ZAB . Common secret key for users A and B Zab = ( (x21 )17) mod 31 = x357 mod 31 = x16 = x4 + x3 = 11000 = (24) 10 Please check computations consistency p(x) = x5 + x4 + x3 + x + 1 = 0 => x5 = x4 + x3 + x + 1 x1 = x x2 = x2 x3 = x3 x4 = x4 x5 = x4 + x3 + x + 1 x6 = x5 + x4 + x2 + x = x4 + x3 + x + 1 + x4 + x2 + x = x3 + x2 + 1 x7 = x4 + x3 + x x8 = x5 + x4 + x2 = x4 + x3 + x + 1 + x4 + x2 = x3 + x2 + x + 1 = 01111 X16 =( x8)2 = x6 + x4 + x2 + 1 = x3 + x2 + 1 + x4 + x2 + 1 = x4 + x3 = 11000 = (24) 10

IKE Phase 1: Public Key Signature (Aggressive Mode) User A Alice User B Bob IC, “Alice”, ga mod p, RA, CP IC,RC, “Bob”, RB, gb mod p, CS, proofB IC,RC, proofA Session key= K CP = 5=crypto proposed DHGF= Diffie-Hellman Key exchange over GF(25) p(x) = x5 + x4 + x3 + x + 1 as field modulus, a=21, b=17 CS = crypto selected = 1 IC = initiator “cookie” = 0 RC = responder “cookie”= 1 Alice = 1 , RA= 4, Bob = 0 , RB= 7 K = h(IC|RC|gab mod p(x)|RA|RB) Assume h(X) = X2 mod 97 mod 10 . SKEYID = h(RA| RB|gab mod p(x)) proofB = h [ h(SKEYID |gab|IC|RC|CP|“Bob”) |KBob] Fig. 1

IKE Phase 1: Public Key Signature (Aggressive Mode) Solution: IKE Phase 1: Public Key Signature (Aggressive Mode) User A Alice User B Bob 0, 1, x21 mod p(x), 4, 5 0,1, 0, 7, x17 mod p, 1, proofB IC,RC, proofA CP = 5=crypto proposed DHGF= Diffie-Hellman Key exchange over GF(25) p(x) = x5 + x4 + x3 + x + 1 as field modulus, a=21, b=17 CS = crypto selected = 1 IC = initiator “cookie” = 0 RC = responder “cookie”= 1 Alice = 1 , RA= 4, Bob = 0 , RB= 7 K = h(IC|RC|gab mod g(x)|RA|RB) = (0 1 24 4 7)2 mod 97 mod 10=8 Assume h(X) = X2 mod 97 mod 32 Where SKEYID = h(RA, RB, gab mod p(x))= = (4 7 24)2 = 6 proofB = h [ h(SKEYID |gab|IC|RC|CP|“Bob”) |KBob] ProofB = ((6 24 0 1 5 0)2 | 9)2 = (6 9 )2 mod 97= 8 mod 10 = 8 Fig. 1

The used hash function is : h(x) = x3 mod 41 KERBEROS: A KERBEROS system is set up as shown in Fig. 2 with the parameters given on Fig. 2. The used hash function is : h(x) = x3 mod 41 The adopted encryption function is: Y = E(X,K) = X · K mod 53 Notice: split your encrypted blocks when necessary such that the system becomes operational!! In Fig. 2 Compute KA and TGT. In Fig. 2 Compute the number of possible key choices for KKDC. In Fig. 2 Compute the KDC response Res In Fig. 2 Decrypt Res on Alice side In Fig. 3 compute Alice’s REQUEST In Fig. 3 Compute KB and KDC REPLY to Alice including the ticket to Bob In Fig. 3 Compute AuthenticatorA to Bob and decrypt ticket to Bob on Bob’s side In Fig. 3 compute ResB on B side and Verify it at A side How secure is the proposed system? Is it possible for KDC to encrypt TGT such that TGT becomes perfectly secure (impossible to break)? Give the reasons for your answer. If possible, how to do that by using the above adopted encryption function? MH: Unterscheidet sich der Font auf dieser Folie absichtlich von den anderen?

Step 1: Kerberized Login (Ticket Granting Ticket : TGT ) Alice wants a TGT Alice’s Password Alice’s Secret key KA = h(PasswordA) Res = E(SA|TGT, KA) Alice Computer KDC h(x) = x3 mod 41 TGT = E(“Alice”|SA, KKDC) KDC proposed session key SA= 8 PasswordA = 7, PasswordB= 9 KKDC= 22 Alice = 1, Bob= 2 (TGT= Ticket Granting Ticket), E(X,Y,Z, K) means data XYZ are encrypted using the key K Encryption function E: Y = E(X,K) = X · K mod 53 MH: Unterscheidet sich der Font auf dieser Folie absichtlich von den anderen? Fig. 2

Step 2: Alice Requests Ticket to Bob I want to talk to Bob Talk to Bob REQUEST Alice REPLY Computer KDC REQUEST = (TGT, authenticator), where authenticator = E(timestamp, SA) REPLY = E(“Bob”|KAB| ticket to Bob, SA) ticket to Bob = E(“Alice”|KAB, KB) generated by KDC Step 3: Alice sends Ticket to Bob, establish link Timestamp = 9, proposed KAB= 6 ticket to Bob = E(“Alice”|KAB, KB), authenticatorA = E(timestamp, KAB) ResB = E(timestamp + 1,KAB) Bob (Knows KB) Secured link: (KAB = 6) Alice’s Computer Fig. 3

In Fig. 2 Compute KA and TGT. KA = h(7) = 73 mod 41 = 343 mod 41 = 15 TGT = E(“Alice”|SA, KKDC) = E( 1 | 8 , 22) = (18 * 22) mod 53 = 396 mod 53 = 25 2. In Fig. 2 Compute the number of possible key choices for KKDC. # possible keys for KDC = φ(53) = 52 3. In Fig. 2 Compute the KDC response Res Res = E(SA|TGT, KA) = E(8|25, 15) = E(8,15) | E(25,15) = 8.15 mod 53 | 25.15 mod 53 = 120 mod 53 | 375 mod 53 = 14 | 4

4. In Fig. 2 Decrypt Res on Alice side Decrypt Alice: Res = 14 | 4 Decrypt Res = D( Res , KA-1 ) = D( 14 | 4 , KA-1 ) = (14 . 46 mod 53 | 4 . 46 mod 53) = 8 | 25 =SA | TGT KA-1 mod 53 = 15-1 mod 53 = -7 mod 53 = -7 + 53 = 46 5. In Fig. 3 compute Alice’s REQUEST REQUEST = (TGT, authenticator) authenticator = E (timestamp, SA ) = E(9, 8) = 9 . 8 mod 53 = 72 mod 53 = 19 = (25 , 19)

6. In Fig. 3 Compute KB and KDC REPLY to Alice including the ticket to Bob KB = h(PasswordB) = h(93) mod 41 = 729 mod 41 = 32 ticket to Bob = E(“Alice”|KAB, KB) generated by KDC = E(1|6 , 32) = 16 . 32 mod 53 = 512 mod 53 = 35 REPLY = E(“Bob”|KAB| ticket to Bob, SA) = E( 2 | 6 | 35 , 8 ) = E( 26 , 8 )| E( 35 , 8 ) = 26 . 8 mod 53 | 35 . 8 mod 53 = 208 mod 53 | 280 mod 53 = 49 | 15 7. In Fig. 3 Compute AuthenticatorA to Bob and decrypt ticket to Bob on Bob’s side AuthenticatorA = E(timestamp, KAB) = E(9,6) = 9 . 6 mod 53 = 54 mod 53 = 1

8. In Fig. 3 compute ResB on B side and Verify it at A side KB-1 mod 53 = 5 Ticket to bob = 35 Decrypt on Bob‘s side = D(Ticket to bob , KB-1) = D(35,5) = 35 . 5 mod 53 = 175 mod 53 = 16 = 1|6 = „Alice“ | KAB 8. In Fig. 3 compute ResB on B side and Verify it at A side ResB = E(timesatamp+1, KAB) = E(9+1, 6) = 10 .6 mod 53 = 60 mod53 = 7 KAB-1 mod 53 = 9 D(ResB , KAB-1 ) = E(ResB,KAB-1) = E(7,9) = 7 . 9 mod 53 = 63 mod 53 = 10 = timestamp +1

Basically not secure as knowing one clear-text/cipher-text pair would allow computing the secret key K. As follows: K = X-1 . Y mod 53. As 53 is a prime , any non-zero X is invertible modulo 53. The hash function using x3 mod 41 could be invertible if the cube root in GF(41) is computable. However, if the key K is not repeatedly used, then the cipher is equivalent to Vernam cipher over the multiplicative group of GF(53), as 53 is a prime and hence the cipher usage becomes unconditionally secure. 10. Yes, if of the KDC do not repeat using the same encryption key KkDC for creating TGT. As 53 is a prime and the system is operating in the multiplicative group of GF(53). Therefore KDC would be using a Vernam-cipher-equivalent scheme. This makes TGT unconditionally secure. KDC should not repeat the usage of any key !!

Alice wants Alice Fig. 2 Fig. 3 a TGT = 25 KDC Computer Alice Alice’s Password Alice wants Alice’s Secret key KA = 15 a TGT = 25 Res = 14 | 4 KDC Computer Fig. 2 Alice Talk to Bob I want to talk to Bob REQUEST = (25,19) REPLY=49 |15 KDC Computer ticket to Bob = 35, authenticatorA = 1 ResB = 7 Alice’s Computer Bob (Knows KB) KAB = 6 Fig. 3