CSE331: Introduction to Networks and Security Lectures 26 & 27 Fall 2002

CSE331 Fall Announcements Project 3 is due on Nov. 18 th

CSE331 Fall Primary Attacks Impersonation. Replay. Interleaving. Reflection. Forced delay. Chosen plaintext.

CSE331 Fall Primary Controls Replay: use of challenge-response techniques and embedding target identity in response. Interleaving: link messages in a run with chained nonces. Reflection: embed identifier of target party in challenge response, use asymmetric message formats, use uni-directional keys.

CSE331 Fall Primary Controls, continued Chosen text: embed self-chosen random numbers (“confounders”) in responses, use “zero knowledge” techniques. Forced delays: use random numbers with short timeouts, use timestamps with other techniques.

CSE331 Fall Multiple Use of Keys There are risks in using keys for multiple purposes. Using an RSA key for both entity authentication and signatures may allow a chosen-text attack. B attacker/verifier, rB=H(M) for some message M. –B -> A: rB –A -> B: B, EA(rB) –B(A) -> C: M, EA(H(M)) B, pretending to be A

CSE331 Fall Effective Control Notice how the protocol described earlier foils this. Here’s the protocol: –B -> A: rB –A -> B: rA, B, S A (rA, rB, B) Here’s what happens: –B -> A: rB –A -> B: rA, B, EA(rA, rB, B) –B(A) -> C: M, EA(rA, H(M), B) –C finds that EA(rA, H(M), B)  EA(H(M)) and rejects the signature.

CSE331 Fall Usurpation Attacks Identification protocols provide assurances corroborating the identity of an entity only at a given instant in time. Techniques to assure ongoing authenticity: –Periodic re-identification. –Tying identification to an ongoing integrity service. For example: key establishment and encryption.

CSE331 Fall Key Establishment Symmetric keys. –Point-to-Point. –Needham-Schroeder. –Kerberos. Asymmetric keys. –X.509 key establishment. –Attack example. –Station To Station (STS) protocol. –Bellovin-Merritt protocol.

CSE331 Fall Symmetric Keys Key establishment using only symmetric keys requires use of pre-distribution keys to get things going. These can be based on: –Point to point distribution, or –Key Distribution Center (KDC).

CSE331 Fall Point-to-Point Timestamp. –A -> B : E(K, (k, t, B)) Nonce. –B -> A : r –A -> B : E(K, (k, r, B)) Session Key ISO/IEC

CSE331 Fall Key Distribution Center

CSE331 Fall Distribution Center Setup A wishes to communicate with B. T is a trusted third party that provides session keys. T has a key K AT in common with A and a key K BT in common with B. A authenticates T using a nonce rA and obtains a session key from T. A authenticates to B and transports the session key securely.

CSE331 Fall Needham-Schroeder 1.A -> T : A, B, rA 2.T -> A : E( K AT, (k, rA, B, E( K BT, (k, A)) )) A decrypts with K AT and checks rA and B. Holds k for future correspondence with B. 3.A -> B : E( K BT, (k, A)) B decrypts with K BT. 4.B -> A : E(k, rB) A decrypts with k. 5.A -> B : E(k, rB – 1) B checks rB-1.

CSE331 Fall Attack Scenario 1 1.A -> T : A, B, rA 2.T -> C (A) : E( K AT, (k, rA, B, E( K BT, (k, A)) )) C is unable to decrypt the message to A; passing it along unchanged does no harm. Any change will be detected by A.

CSE331 Fall Attack Scenario 2 1.A -> C (T) : A, B, rA 2.C (A) -> T : A, C, rA 3.T -> A : E( K AT, (k, rA, C, E( K CT, (k, A)) )) Rejected by A because C rather than B.

CSE331 Fall Attack Scenario 3 1.A -> C (T) : A, B, rA 2.C -> T : C, B, rA 3.T -> C : E( K CT, (k, rA, B, E( K BT, (k, C)) )) 4.C (T) -> A : E( K CT, (k, rA, B, E( K BT, (k, C)) )) A is unable to decrypt the message.

CSE331 Fall Attack Scenario 4 1.C -> T : C, B, rA 2.T -> C : E( K CT, (k, rA, B, E( K BT, (k, C)) )) 3.C (A) -> B : E( K BT, (k, C)) B will see that the purported origin (A) does not match the identity indicated by the distribution center.

CSE331 Fall Kerberos Setup A,T,B, shared keys K AT, K BT as in distribution center. Nonce rA generated by A. Trusted synchronous clocks for generating a time t and checking expiration of a lifetime L.

CSE331 Fall Kerberos Messages 1.A -> T : A, B, rA 2.T -> A : E( K BT, (k, A, L)), E( K AT, (k, rA, L, B)) 3.A -> B : E( K BT, (k, A, L)), E( k, (A, t)) 4.B -> A : E(k, t) Ticket Authenticator

CSE331 Fall Kerberos Actions 1.A -> T : A, B, rA 2.T -> A : E( K BT, (k, A, L)), E( K AT, (k, rA, L, B)) Decrypt using K AT, check rA, B, and hold L for future reference. 3.A -> B : E( K BT, (k, A, L)), E( k, (A, t)) Decrypt the ticket using KBT to get the session key and lifetime. Use the session key to decrypt the authenticator. Check A, t, L. 4.B -> A : E(k, t) Check t.

CSE331 Fall Asymmetric Key Exchange X.509 key establishment. Impersonation case study. STS. Bellovin-Merritt protocol.

CSE331 Fall X.509 Key Establishment Setup X.509 is part of the X.500 series of ISO/IEC standards. certA and certB are certificates for the public keys of A and B. A has encryption function EA and signature function SA. B has signature function SB. rA and rB are nonces. LA and LB are lifetimes (validity periods).

CSE331 Fall X.509 Key Est. Messages Let DA = EB(k), rA, LA, A. Let DB = rB, LB, rA, A Two messages: 1.A -> B : certA, DA, SA(DA) Check that the nonce rA has not been seen, and is not expired according to LA. Remember it for its lifetime LA. 2.B -> A : certB, DB, SB(DB) Check the rA and A. Check that rB has not been seen and is not expired according to LB.

CSE331 Fall X.509 Variant X.509 supports several variants on the previously-described protocol. Let DA = EB(kA), rA, LA, A. Let DB = EA(kB), rB, LB, rA, A Two messages: 1.A -> B : certA, DA, SA(DA) 2.B -> A : certB, DB, SB(DB) Both A and B compute a session key f(kA, kB) as a function of subkeys supplied by A and B.

CSE331 Fall Impersonation Case Study

CSE331 Fall Protocol X 1.A -> T : A, B 2.T -> A : ST(EB, B) 3.A -> B : EB(kA, A) 4.B -> T : B, A 5.T -> B : ST(EA, A) 6.B -> A : EA(kA, kB) –Check kA. Calculate session key as f(kA,kB). 7.A -> B : EB(kB) –Check kB. Calculate session key as f(kA,kB).

CSE331 Fall Interleaving Attack on Protocol X An interleaving attack on this protocol is possible. An adversary C convinces: –A that he is talking to C using session key k = f(kA, kB). –B that his is talking to A using session key k. C has access to the key k and can use it to decrypt the responses that B makes to A.

CSE331 Fall Compromise Scenario B, C are taxpayers. A is the IRS. A contacts C, (presumably) authenticates and sets up a session key k. C uses the interleaving attack with B. B now thinks he is talking to the IRS. C answers questions directed to him by the IRS. Meanwhile C, pretending to be IRS, asks B for information about his income for the last 5 years.

CSE331 Fall What Went Wrong? Entity authentication: determining who you are talking to. Key establishment: settling on a shared session key. Protocol X admits an interleaving attack that allows an adversary to exploit entity authentication and then step in to exploit key establishment.