Authenticated Key Exchange. Lecture Outline Example of how poor security design can cause problems Design Principles for building security protocols Key.

Slides:



Advertisements
Similar presentations
AUTHENTICATION AND KEY DISTRIBUTION
Advertisements

CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi
Chapter 10 Real world security protocols
Chapter 14 – Authentication Applications
IT 221: Introduction to Information Security Principles Lecture 8:Authentication Applications For Educational Purposes Only Revised: October 20, 2002.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
1 Security in Wireless Protocols Bluetooth, , ZigBee.
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
1 Distributed Computer Security: Authentication and Key Distribution Vijay Jain CSc 8320, Spring 2007.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Authentication & Kerberos
Computer Security Key Management
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
1 Authentication Applications Digital Signatures Security Concerns X.509 Authentication Service Kerberos Based on slides by Dr. Lawrie Brown of the Australian.
 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
SMUCSE 5349/73491 Authentication Protocols. SMUCSE 5349/73492 The Premise How do we use perfect cryptographic mechanisms (signatures, public-key and symmetric.
1 Key Management CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 1, 2004.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.
Security Protocols: They’re so NOT Easy!. Lecture Motivation In the last lecture we looked at some high-level descriptions of key distribution and agreement.
More on AuthenticationCS-4513 D-term More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
1 Authentication Protocols Celia Li Computer Science and Engineering York University.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Programming Satan’s Computer
Part Two Network Security Applications Chapter 4 Key Distribution and User Authentication.
Chapter 3: Basic Protocols Dulal C. Kar. Key Exchange with Symmetric Cryptography Session key –A separate key for one particular communication session.
Network Security Lecture 23 Presented by: Dr. Munam Ali Shah.
Security protocols  Authentication protocols (this lecture)  Electronic voting protocols  Fair exchange protocols  Digital cash protocols.
Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.
Using Cryptography for Network Security Common problems: –Authentication - A and B want to prove their identities to one another –Key-distribution - A.
Week 4 - Wednesday.  What did we talk about last time?  RSA algorithm.
Authentication 3: On The Internet. 2 Readings URL attacks
Lecture 13 Page 1 Advanced Network Security Authentication and Authorization in Local Networks Advanced Network Security Peter Reiher August, 2014.
Key Management. Given a computer network with n hosts, for each host to be able to communicate with any other host would seem to require as many as n*(n-1)
Fall 2010/Lecture 321 CS 426 (Fall 2010) Key Distribution & Agreement.
Lecture 16: Security CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9.
Digital Signatures, Message Digest and Authentication Week-9.
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
1 Needham-Schroeder A --> S: A,B, N A S --> A: {N A,B,K AB,{K AB,A} KBS } KAS A --> B:{K AB,A} KBS B --> A:{N B } KAB A --> B:{N B -1} KAB.
Lecture 5.2: Key Distribution: Private Key Setting CS 436/636/736 Spring 2012 Nitesh Saxena.
Using Cryptography for Network Security Common problems: –Authentication - A and B want to prove their identities to one another –Key-distribution - A.
Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Kerberos Guilin Wang School of Computer Science 03 Dec
1 Kerberos – Private Key System Ahmad Ibrahim. History Cerberus, the hound of Hades, (Kerberos in Greek) Developed at MIT in the mid 1980s Available as.
The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Authentication Protocols (I): Secure Handshake.
User Authentication  fundamental security building block basis of access control & user accountability  is the process of verifying an identity claimed.
1 Authenticated Key Exchange Rocky K. C. Chang 20 March 2007.
KERBEROS SYSTEM Kumar Madugula.
Fall 2006CS 395: Computer Security1 Key Management.
1 SUBMITTED BY- PATEL KUMAR C.S.E(8 th - sem). SUBMITTED TO- Mr. DESHRAJ AHIRWAR.
SECURITY. Security Threats, Policies, and Mechanisms There are four types of security threats to consider 1. Interception 2 Interruption 3. Modification.
Pertemuan #8 Key Management Kuliah Pengaman Jaringan.
1 Example security systems n Kerberos n Secure shell.
Dr. Nermi hamza.  A user may gain access to a particular workstation and pretend to be another user operating from that workstation.  A user may eavesdrop.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
1 Authentication Celia Li Computer Science and Engineering York University.
Authenticated Key Exchange
CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9
KERBEROS.
CDK: Chapter 7 TvS: Chapter 9
Presentation transcript:

Authenticated Key Exchange

Lecture Outline Example of how poor security design can cause problems Design Principles for building security protocols Key tools for building robust security protocols –Naming –Encryption –Signing –Timestamps and nonces Examples… –Wide-Mouthed Frog –Needham-Schroeder We’ll end with a brief look at Kerberos

Tales from the Dark Side of Security Pay-Per-View TV Hacks: –Decoders are personalized with a smart card. Smart card cannot decrypt bulk content, so the bulk decryption is done on the decoder. –Many decoders have a microcontroller which passes messages between the cryptoprocessor and the smart card –Attackers can go in and modify or replace the microcontroller, or can introduce a PC between the decoder and the card in order to manipulate messages exchanged. –Kentucky Fried Chip hack: u When a customer stops paying subscription, the system sends a message to the decoder to disable the card. u The KFC hack replaced the microcontroller with a a version that would block this message. u It was able to do this because the system message was sent in the clear!

Caveat Cryptor: Designer Beware! The lesson learned from this last story is: The adversary can be very powerful and clever! We must assume that the adversary has complete control over the network… –Be paranoid! Alice should not blindly trust what she is getting from “Bob”! And vice-versa! –If we can build a system that we trust in this Seriously Caustic environment, then we can trust it in more general (day-to-day) computing scenarios So, who are the entities? –Alice and Bob may be users, or may be smart cards, or devices –Eve can be the compromised decoder, or the network, or a hacker –When needed, Trent will be a trusted third party server

Basic Guidelines Needham has given several guidelines for building secure systems 1. Be clear of security goals and assumptions 2. When using encryption, know why you are using it (secrecy? Authenticity? Binding? PRNG?). Encryption is not security! 3. Be careful about temporal associations 4. Don’t assume the identity of a participant can be excluded from a message. Generally, it should be explicitly included in a message! 5. Have redundancy in your message! 6. Know the properties and weaknesses of the cryptographic protocols you are using. 7. Signatures do not imply that the signer knows what the message is that he is signing! 8. Don’t trust others to keep their secrets secret! 9. When responding to queries, be careful about encrypting, decrypting, or signing. You might be used as an oracle by an adversary! 10. Decryption is not the same as digital signatures- they have different purposes! 11. Distinguish between different runs of the protocol!

Wide-Mouthed Frog Protocol The Wide-Mouthed Frog Protocol is one of the simplest symmetric key management protocols involving a trusted third party (Trent = T) Alice chooses a session key to communicate with Bob and has Trent transfer it to Bob securely. The parameter t A is a timestamp supplied by Alice, while t T is given by Trent. Bob will accept K AB as fresh if it arrives in a certain window of time. The WMF protocol fails because Trent updates the timestamp If Trent does not keep a list of all recent keys and timestamps, Eve can use Trent as an Oracle!

Failure in the Wide-Mouthed Frog Protocol Let’s see how Eve can make Trent act as an Oracle… 1. After seeing one exchange of the protocol, Eve could pretend to be Bob wanting to share a key with Alice 2. Eve would send Trent the replay 3. Trent would send back, where is a new timestamp. Alice would think this is an OK message since it came from Trent. 4. Eve could then pretend to be Alice and get 5. And so on… Effect: The key K AB is kept indefinitely alive To fix: You need to be explicitly clear about how you keep track of temporal succession (did you see this key before?)

Needham-Schroeder We now look at the Needham-Schroeder authenticated key exchange protocol The protocol Step 1: Alice tells Trent what she is requesting Step 2: Trent gives Alice the session key and gives Alice a package to deliver to Bob. Step 3: Bob can get the session key, and the identity of who he is talking with (verified because it came from Trent). Step 4: Bob sends Alice a challenge Step 5: Alice answers challenge

An attack on Needham-Schroeder In 1981, Denning and Sacco showed if the session key is compromised, then Eve can make Bob think that he is communicating with Alice. Assume the NS protocol took place, and that Eve has recorded the first 3 steps. Also, assume that Eve has obtained the session key. The following steps subvert NS: Step 1: Eve replays step 3 from NS as if she were Alice. Step 2: Bob gets this message and issues a challenge to Alice in the form of a new nonce. This challenge is intercepted by Eve. Step 3: Since Eve knows the session key, she can respond correctly to the challenge. The basic problem: messages can be replayed once the session key is compromised!

Time, Time! Who’s got the Time? The clock plays an important role in many security protocols. –Time provides an ordering of events –Time and timestamps help provide measures of freshness to protocols Having reliable and synchronized clocks is an important challenge in building secure and trusted systems. –We can’t simply use the normal clock time… an enemy may manipulate the clock, or the clock may fail Setting the clock back: –Perhaps a user had access to some data in the past, but that access has expired now. Setting the clock back might allow the user to access data for which his access privileges had expired. –Expired certificates are fresh again… –Automated tasks may be forced to repeat by repeatedly setting the clock back after the task is executed

Time, Time! Who’s got the Time? Pg. 2 Stop the time: –An adversary may freeze the clock and thereby cause audit logs to become ambiguous –Actions, such as refreshes, no longer happen. Setting the clock ahead: –Denial of service attacks are possible: Certificates automatically expire! –Many situations involve release of confidential information at a specified time in the future… moving the clock ahead forces the release of this information! –In auction-based systems, if you can alter the auction-system clock forward, you can deny many rivals the opportunity to get last-bids in.

Kerberos Kerberos is a real-world implementation of a symmetric cryptographic protocol that provides authentication and security during key exchange between users in a network. It is, basically, a real-world implementation of Needham-Schroeder with some appropriate fixes. Kerberos grew out of MIT’s Project Athena, whose purpose was to integrate a network of computer workstations and allow students to access files easily from anywhere on the network. Kerberos is based upon a client-server model. Actors: –Cliff: The Client, wants to use a service –Serge: The service server –Trent: A Trusted Authority (also called an Authentication Server) –Grant: Ticket Granting Server There are two versions of Kerberos in use (Version 4 and Version 5). We will discuss the basics common to them both.

Overview of Kerberos This slide borrowed from Stallings. Trent Grant Cliff Serge

Basic Kerberos Steps The basics of the protocol 1. Cliff to Trent: Request to Trent for help in authenticating with the Ticket Granting Server (Grant) 2. Trent to Cliff: Trent looks Cliff up. If Cliff is OK, Trent generates a session key K CG for use between Cliff and Grant. This is encrypted using K C. Trent also creates a Ticket Granting Ticket (TGT) that will allow Cliff to authenticate himself to Grant

Basic Kerberos Steps, pg. 2 The basics of the protocol 3. Cliff to Grant: Using K CG, Cliff can now communicate with Grant. Cliff creates an authenticator message and sends Auth CG as well as TGT to Grant 4. Grant to Cliff: Grant gets Auth CG and TGT. Grant uses his secret key to recover Cliff’s name, etc. Grant uses K CG to decrypt Auth CG to verify authenticity of Auth CG. If the names match, and the timestamps are sufficiently close, then Cliff is valid. Grant creates a service ticket (encrypted with a key Grant shares with Serge). Grant sends ServTicket and encrypted K CS to Cliff

Basic Kerberos Steps, pg. 3 The basics of the protocol 5. Cliff to Serge: Cliff now contacts Serge to use his services. He gets K CS, which he will use when communicating with Serge. He creates an authenticator Auth CS. Cliff sends Serge Auth CS and ServTicket. Serge can decrypt ServTicket and get KCS. Using K CS he can decrypt AuthCS and verify Cliff’s identity and the freshness of the authenticator. 6. Serge to Cliff: The service is provided and protected using K CS.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.