Basic Protocols Schneier Ch. Three. Key Exchange w/ Symmetric Crypto 1.Desire A and B on network, sharing secret key with KDC. How??? 2.A request session.

Slides:

Advertisements

Similar presentations

Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi

Advertisements

Chapter 10 Real world security protocols

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Akshat Sharma Samarth Shah

COS 461 Fall 1997 Todays Lecture u intro to security in networking –confidentiality –integrity –authentication –authorization u orientation for assignment.

CSC 474 Information Systems Security

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.

CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.

15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.

CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)

 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

SMUCSE 5349/73491 Authentication Protocols. SMUCSE 5349/73492 The Premise How do we use perfect cryptographic mechanisms (signatures, public-key and symmetric.

Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

Chap 3: Key exchange protocols In most systems, we distinguish the short term keys from the long term ones: –A short term key (session key) is used to.

Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

More on AuthenticationCS-4513 D-term More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.

Protocol Building Blocks 1.Protocols are multi-agent algorithms 2.Agents know protocol 3.Protocol unambiguous, well-defined 4.Protocol complete, action.

Chapter 9 Cryptographic Protocol Cryptography-Principles and Practice Harbin Institute of Technology School of Computer Science and Technology Zhijun Li.

Strong Password Protocols

Programming Satan’s Computer

14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.

Part Two Network Security Applications Chapter 4 Key Distribution and User Authentication.

Network and Communications Network Security Department of Computer Science Virginia Commonwealth University.

8-1Network Security Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity, authentication.

Network Security – Part 2 (Continued) Lecture Notes for May 8, 2006 V.T. Raja, Ph.D., Oregon State University.

Authentication and Authorization Authentication is the process of verifying a principal’s identity (but how to define “identity”?) –Who the person is –Or,

Symmetric versus Asymmetric Cryptography. Why is it worth presenting cryptography? Top concern in security Fundamental knowledge in computer security.

Lecture 11: Strong Passwords

Authentication Applications Unit 6. Kerberos In Greek and Roman mythology, is a multi-headed (usually three-headed) dog, or "hellhound” with a serpent's.

Chapter 3: Basic Protocols Dulal C. Kar. Key Exchange with Symmetric Cryptography Session key –A separate key for one particular communication session.

4 th lecture.  Message to be encrypted: HELLO  Key: XMCKL H E L L O message 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message + 23 (X) 12 (M) 2 (C) 10 (K) 11.

Security protocols  Authentication protocols (this lecture)  Electronic voting protocols  Fair exchange protocols  Digital cash protocols.

Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.

Using Cryptography for Network Security Common problems: –Authentication - A and B want to prove their identities to one another –Key-distribution - A.

23-1 Last time □ P2P □ Security ♦ Intro ♦ Principles of cryptography.

Week 4 - Wednesday.  What did we talk about last time?  RSA algorithm.

1 Lecture 9: Cryptographic Authentication objectives and classification one-way –secret key –public key mutual –secret key –public key establishing session.

Digital Signatures, Message Digest and Authentication Week-9.

14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.

Protocols Chapter 2 Protocol: A series of steps, involving two or more parties, designed to accomplish a task. All parties involved must know the protocol.

1 Needham-Schroeder A --> S: A,B, N A S --> A: {N A,B,K AB,{K AB,A} KBS } KAS A --> B:{K AB,A} KBS B --> A:{N B } KAB A --> B:{N B -1} KAB.

Kerberos By Robert Smithers. History of Kerberos Kerberos was created at MIT, and was named after the 3 headed guard dog of Hades in Greek mythology Cerberus.

Using Cryptography for Network Security Common problems: –Authentication - A and B want to prove their identities to one another –Key-distribution - A.

Authentication Issues and Solutions CSCI 5857: Encoding and Encryption.

Lecture 6.1: Protocols - Authentication and Key Exchange I CS 436/636/736 Spring 2012 Nitesh Saxena.

Kerberos Guilin Wang School of Computer Science 03 Dec

A A E E D D C C B B # Symmetric Keys = n*(n-1)/2 F F

Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.

The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Authentication Protocols (I): Secure Handshake.

Network Security Continued. Digital Signature You want to sign a document. Three conditions. – 1. The receiver can verify the identity of the sender.

Lecture 5.1: Message Authentication Codes, and Key Distribution

Key Management Network Systems Security Mort Anvari.

1 Authentication Protocols Rocky K. C. Chang 9 March 2007.

Fall 2006CS 395: Computer Security1 Key Management.

Chapter 3 Basic Protocols. 3.1 Key Exchange n Session Key - Why? n Key Exchange with Symmetric Cryp. KDC request E KA (K AB ), E KB (K AB ) E KB (K AB.

Lesson Introduction ●Authentication protocols ●Key exchange protocols ●Kerberos Security Protocols.

Pertemuan #8 Key Management Kuliah Pengaman Jaringan.

Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.

AIT 682: Network and Systems Security

Presentation transcript:

Basic Protocols Schneier Ch. Three

Key Exchange w/ Symmetric Crypto 1.Desire A and B on network, sharing secret key with KDC. How??? 2.A request session key from T to talk to B. 3.T generates sess. Key, encrypts once with A’s key and once with B’s, sends both to A. 4.A decrypts her copy and sends B his copy. 5.B decrypts his copy 6.A and B use key to communicatte 7.Trent is a bottleneck and attack target.

Key Exchange with PK Crypto 1.A gets B’s key from KDC 2.A generates session key, encrypts with Bob’s public key, sends to B. 3.B decrypts w/ his private key 4.A and B have session key for comms.

Man in Middle Attack 1.A sends B her public key. Mallory intercepts it and sends B his key in place of A’s. 2.Likewise, mutatis mutandis, with B. 3.A sends msg to B. M intercepts, reads with his private key and encrypts with B’s public key and sends to B. 4.Likewise, mutatis mutandis, with A.

Interlock Protocol to Foil Man in the Middle 1.A, B swap public keys 2.A encrypts her msg, sends half to B 3.B does same thing, sends half a msg to A 4.A sends other half, B assembles, decrypts. 5.Likewise B to A. 6.Can send 1st half, every other byte, etc., or a “half” could be hash fn of message, next half the msg itself. 7.M can’t decrypt 1/2 msg, thus can’t send it on.

Key Exchange w/ Digital Signatures 1.Foils man in middle. 2.Trent signs A and B’s PKs, including cert. Of ownership. 3.A and B get keys, verify T’s signature. 4.M can’t impersonate A, B -- doesn’t know their private keys. He can’t substitute his PK since it’s signed by T as belonging to M. 5.If M gets T’s key he can create phony keys but can’t decrypt sess. Keys or read msgs. 6.If can intercept and msgs and impersonate T, can do man in middle

Key And Message Transmission 1.Familiar Hybrid system, very common (PGP) 2.A generates random session key K, encrypts M with it 3.A gets B’s PK from database, encrypts K with it. 4.A sends encrypted M and K to B, can sign if she’s worried about men in middle. 5.B decrypts K with his PK and M using K.

Authentication 1.How does computer know who you are? PINs, passwords…but want to protect passwords. 2.Computer doesn’t need to know pw, just that it’s valid. 3.Calls for one-way hash, or one-way fn in general. Host stores hashes, compares with hashing the input password.

Dictionary Attacks and Salt 1.Unix’s one-way function is public. 2.Generate valid pws, encrypt, see if they match one in database = Dictionary Attack. 3.“Salt” is string concatenated to pw before one-way fn. It is stored with one-way fn result. (like initialization vector). 4.M then has to try each user’s salt value with each possible pw in his dictionary to get a match.

Dictionary Attack and Salt Continued 1.So M can’t just bash his encrypted dict against the database of encrypted pws. He has to do a dict search per user, not per database. 2.However, despite everything, dict. Atttacks on Unix are surprisingly successful. 3.Salt protects the system, not an individual user.

SKEY Motivation 1.Used at UR…why work thru it backwards? 2.Problem: sending password in clear over phone line. Partial answer: system must authenticate you before allowing you to try to login over phone. Your pw could still be lost.

SKEY 1.Sys admin enters random R, computer produces f(R ), f(f( R)), etc (list = x1, x2, … x100). System stores x101 with your name. 2.You (user) keep this list. To log in, give name and x100; computer calculates f(x100), which should = x101. If so, you’re authenticated: system stores newly-entered x100 opposite your name. 3.Computer can ask for number it wants by subscript number. Actually use 4-letter words 4.Each no. only used once, database no help.

Authentication with PK: Motivation 1.Problem: sending password over phone in clear, or even having it in computer, however briefly, in clear (eg before encryption). 2.So, host keeps file of public keys, user keeps private key as usual. Two protocols follow.

Weak PK Authentication 1.Host sends A a random string 2.A encrypts with her PK, sends back along with her name. 3.Host looks up PK by her name, decrypts. 4.If result is what host sent out, A is authenticated. 5.Not bad except for step 1. M could pretend to be host and mount chosen ciphertext attack on A.

Better PK Authentication 1.A performs computation using random numbers and her key, sends result to host. 2.Host sends A yet a different random no. 3.A makes more computations on all the random numbers and her key, sends to host. 4.Host does computations on everything received from A to verify she knows her own private key: if so, A’s authenticated.

Mutual Authentication with Interlock 1.Why believe host is who it says it is? 2.A and B have pw the other knows, PA and PB. Man in middle defeats this: 3.A encrypts PA with B’s PK and sends to B 4.B encrypts PB with A’s PK and sends to A 5.A, B decrypt, verify correctness. 6.Mallory can get in, substitute his PK for A’s (to B) and vice-v, learns pws. Interlock can help but attack can be Improved.

Authentication and Key Exchange 1.A and B on network, want to xchg keys, authenticate, communicate despite Mallory 2.Most protocols assume Trent shares different secret key with each party before protocol starts. 3.Many commercial systems to do this. Schneier examines nine of them critically. We’ll look at two.

Wide Mouth Frog 1.Simplest, uses T with whom A and B share secret key for key distribution, not encryption. To get session key: 2.A concats timestamp, B’s name, random session key, encrypts with key she shares with T, sends T the package and her name. 3.T decrypts, concats new timestamp, A’s name, random key, sends to B encrypted with his key. 4.Problem: A may be incompetent to create secure session key.

Kerberos Motivation 1.Same assumptions, variant of Needham- Schroeder (see Schneier). Prevents replay attacks (use of old messages). 2.Kerberos timestamps are to fix bug in N-S involving old session keys.

Kerberos Protocol 1.A sends T her identity and B’s (A,B). 2.T makes msg with timestamp, lifetime L, random session key K, A’s ID; encrypts with key he shares with Bob, similarly for Alice: E A (T,L,K,B), E B (T,L,K,A). 3.A sends E K (A,T), E B (T,L,K,A) to Bob. 4.B sends E K (T+1) to A. 5.All clocks must be synched with T’s. If not exact, check for replays in uncertainty interval.

Lessons Learned 1.Many authentication and key-exchange protocols! Lots of examination, testing, critique. 2.Protocols fail if too clever, try to avoid names, random numbers. 3.Everything should be explicit. 4.Performance depends on assumptions (like authenticated time), and underlying comm architecture.(connectivity).

Formal Verification 1.Can prove protocol properties? 2.Use OS or hdw spec. languages, verification tools. 3.Use expert systems 4.Use special logics (most popular: BAN) 5.Formalize crypto system 6.AI tools meet system-design tools!

Secret Splitting and Sharing 1. Send different msg parts to diff. People, who must cooperate to read it… 2.Trent provides random string R same length as msg M. 3. T XORs M with R to generate S 4.T gives R to A and S to B. 5.A and B XOR their pieces to reconstruct M. 6.Like T has one-time pad, gives cipher to one person and pad to other.

Threshold Schemes 1.With hardware or computer techniques, can fix it so that message is distributed in n pieces, but any m of the n holders can reconstruct it. (m,n) threshold scheme. 2.See Text for a technical how-to.

Protecting Databases with Crypto 1.How fix database so you can extract the address of someone whose name you know but can’t get at everyone’s address? 2.Use one-way hash and symm. Encryption. 3.Store full name and address info encrypted by last name, along with field that is last name hashed. 4.To find record, search db for hashed name and decrypt what you find using last name.