15-349 Introduction to Computer and Network Security Iliano Cervesato 9 September 2008 – Cryptographic Protocols.

Slides:



Advertisements
Similar presentations
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Advertisements

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
Authentication & Kerberos
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
Symmetric Key Infrastructure Karel Masarik, Daniel Cvrcek Faculty of Information Technology Brno University of Technology
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.
CSE331: Introduction to Networks and Security Lecture 24 Fall 2002.
More on AuthenticationCS-4513 D-term More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.
EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
CMSC 414 Computer and Network Security Lecture 18 Jonathan Katz.
Slide 1 Vitaly Shmatikov CS 378 Key Establishment Pitfalls.
Chapter 9 Cryptographic Protocol Cryptography-Principles and Practice Harbin Institute of Technology School of Computer Science and Technology Zhijun Li.
Topic 11: Key Distribution and Agreement 1 Information Security CS 526 Topic 11: Key Distribution & Agreement, Secure Communication.
Key Distribution CS 470 Introduction to Applied Cryptography
1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Computer Science Public Key Management Lecture 5.
CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.
Chapter 31 Network Security
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Part Two Network Security Applications Chapter 4 Key Distribution and User Authentication.
IT 221: Introduction to Information Security Principles Lecture 6:Digital Signatures and Authentication Protocols For Educational Purposes Only Revised:
1 Lecture 14: Real-Time Communication Security real-time communication – two parties interact in real time (as opposed to delayed communication like )
Lecture 14 ISAKMP / IKE Internet Security Association and Key Management Protocol / Internet Key Exchange CIS CIS 5357 Network Security.
Chapter 3: Basic Protocols Dulal C. Kar. Key Exchange with Symmetric Cryptography Session key –A separate key for one particular communication session.
Network Security Lecture 23 Presented by: Dr. Munam Ali Shah.
Security protocols  Authentication protocols (this lecture)  Electronic voting protocols  Fair exchange protocols  Digital cash protocols.
Using Cryptography for Network Security Common problems: –Authentication - A and B want to prove their identities to one another –Key-distribution - A.
Cryptography and Network Security (CS435) Part Eight (Key Management)
Fall 2010/Lecture 321 CS 426 (Fall 2010) Key Distribution & Agreement.
Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.
Lecture 16: Security CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9.
Digital Signatures, Message Digest and Authentication Week-9.
6 June Lecture 2 1 TU Dresden - Ws on Proof Theory and Computation Formal Methods for Security Protocols Catuscia Palamidessi Penn State University,
Using Cryptography for Network Security Common problems: –Authentication - A and B want to prove their identities to one another –Key-distribution - A.
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
1 Chapter 10: Key Management in Public key cryptosystems Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Modified by Prof. M. Singhal,
The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Authentication Protocols (I): Secure Handshake.
Computer and Network Security - Message Digests, Kerberos, PKI –
Protocol Analysis. CSCE Farkas 2 Cryptographic Protocols Two or more parties Communication over insecure network Cryptography used to achieve goal.
Key Management Network Systems Security Mort Anvari.
Lecture 11 Overview. Digital Signature Properties CS 450/650 Lecture 11: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
User Authentication  fundamental security building block basis of access control & user accountability  is the process of verifying an identity claimed.
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
Fall 2006CS 395: Computer Security1 Key Management.
1 Chapter 3-3 Key Distribution. 2 Key Management public-key encryption helps address key distribution problems have two aspects of this: –distribution.
9.2 SECURE CHANNELS JEJI RAMCHAND VEDULLAPALLI. Content Introduction Authentication Message Integrity and Confidentiality Secure Group Communications.
Chapter 3 Basic Protocols. 3.1 Key Exchange n Session Key - Why? n Key Exchange with Symmetric Cryp. KDC request E KA (K AB ), E KB (K AB ) E KB (K AB.
Lesson Introduction ●Authentication protocols ●Key exchange protocols ●Kerberos Security Protocols.
@Yuan Xue CS 285 Network Security Key Distribution and Management Yuan Xue Fall 2012.
Pertemuan #8 Key Management Kuliah Pengaman Jaringan.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
Fourth Edition by William Stallings Lecture slides by Lawrie Brown
Computer Communication & Networks
CS480 Cryptography and Information Security
Presentation transcript:

Introduction to Computer and Network Security Iliano Cervesato 9 September 2008 – Cryptographic Protocols

2 Where we are  Course intro  Cryptography  Intro to crypto  Modern crypto  Symmetric encryption  Asymmetric encryption  Beyond encryption  Cryptographic protocols  Attacking protocols  Program/OS security & trust  Networks security  Beyond technology

3 Outline  What is a protocol?  Authentication protocols  Other cryptographic protocols  Challenge-response exchanges  Key distribution  Shared-key protocols  Needham-Schroeder shared-key  Denning-Sacco  Public-key protocols  Needham-Schroeder public-key  Diffie-Hellman protocol  station-to-station  Repeated authentication protocols  Neuman-Stubblebine “Cryptography is not broken, it is circumvented” [Shamir]

4 Protocols Expected behaviors when engaging in communication  When 2 people want to talk  Buying something at the souq  Driving conventions  Calling up your friend, …  When interacting with an organization  Bureaucracy  Official visits by head of states, …  …  When computers want to talk

5 Computer Protocols  What sets them apart?  No human involved!  Automated  Inflexible  No common-sense  What protocols are there in a computer?  Hundreds!  Communication protocols  , http, Ethernet, …  Security protocols

6 Security Protocols  Communication protocols ensure that communication actually happens  Security protocols ensure that communication is not abused  Protect contents  Protect communicating parties  Protect intent of communication  Protect possibility of communication

7 Common Security Goals  Confidentiality  Message cannot be observed in transit  Achieved using some form of encryption

8 Authentication  Ensure that we are talking with who we think  Much more subtle than secrecy  How to establish a secret channel in the first place  Negotiate parameters of channel  Ensure channel remains trusted  Authentication protocols

9 Other Security Goals  Non-Repudiation  Party cannot claim he didn’t do it  For auditing, electronic contract signing, …  Non-Malleability  Message cannot be changed en route  For electronic voting, …  Anonymity  Hide who is communicating  Availability  User can always get through  …

10 Security Protocols Encryption provides virtual trusted channels  Security protocols  How to establish, maintain and use these channels  Authentication protocols  How to establish channel in the first place –Negotiate parameters of channel –Ensure that channel is still trusted  Other types of protocols  Using trusted channels for specific purposes –Electronic commerce (e-cash, e-auctions, …) –Electronic voting –Electronic contract signing, … ED This lecture

11 Authentication Protocols  Challenge-response  Verify somebody is at the other end of channel  Key generation  Establish channel  Key distribution  Bind channel ends with requesters  Key translation  Use indirect channels These aspects can be combined

12 Some Notation We abstract from the cryptographic algorithms used  Encryption: {m} k  In particular shared-key encryption  Public-key encryption sometimes written {{m}} k  Authentication: [m] k  In particular for MACs  Digital signatures sometimes written [[m]] k  Usually includes both message and digest  Decryption/verification not modeled explicitly

13 Our Heros  Generic principals  A (Alice)  B (Bob)  C (Charlie), …  Servers  S (Sam)  … specialized names  Trusted-Third Party – TTP  Certification Authority –CA  Key Distribution Center – KDC  …  Attacker  I (intruder)  Also known as  E (Eve – eavesdropper, enemy)  M (Mallory – malicious)  Trudy, ….

14 Challenge-Response Protocols  Given trusted channel  A checks if B is there  Sends challenge to B  Waits for response  Get B to use the channel  By decrypting the challenge  By encrypting the response  … or both  Used to  Test a newly established channel  Verify a previously used channel  Usually part of bigger protocols  Also called authentication test A’s view AB “Hi, it’s me!” “I’m here too!”

15 Guarantying Freshness  Reusing challenges is dangerous  Waste subsequent transmissions  Replay of favorable messages  If channel used to transmit keys  and a previous key k was compromised,  then I can force A to reuse k  Response should be fresh  Nonces  Timestamps  Sequence numbers  Fresh key (with care!)

16 Nonces Random sequence of bits  Typically bit long  Generated fresh by originator as challenge  Unpredictable  Checked in response  Not checked by recipient  Impractical to memorize them  Never reused  But may contribute to keys  E.g. by hashing AB nAnA {n A } k AB AB nAnA AB {n A -1} k AB Challenge-response exchanges using nonces

17 Timestamps Current time in local computer  E.g. in milliseconds  Checkable by recipient  Element of predictability  Recipient must keep most recent timestamps to avoid replay  Requires common time reference  Allow for clock skew  Use secure synchronized clocks  Supports for service time-out AB tAtA {t A } k AB AB tAtA AB {t A -1} k AB Challenge-response exchanges using timestamps

18 Sequence Numbers  Originator maintains counter  Incremented by 1 after each challenge  Must be bound with data that identifies channel  Recipient memorizes most recent value  Rejects values that are too old  Similar to timestamp but  Local to originator or even channel  Cannot be used for timeout AB cAcA {c A } k AB AB cAcA AB {c A -1} k AB Challenge-response exchanges using counters

19 Keys  Initiator generates key k  Sends it encrypted  Recipient responds using k  Other mechanisms needed to guaranty freshness to recipient  Often done through third-party  Achieves key distribution at the same time AB {k} k AB {“Hi!”} k AB Challenge-response exchanges using keys {k} k AS {k} k BS S

20 More on Keys  Long-term keys  Exist before the protocol begins  Do not change across protocol executions  Session keys (or short-term keys)  Generated as part of the protocol  Validity guaranteed till protocol is completed  Could be released when protocol terminates  Could be cryptographically weak  Session (or run)  Protocol execution from start to finish

21 Authentication Assurance to be talking with the expected principal  Challenge-response is a fundamental mechanism  Ensure freshness  If channel is trusted, authenticates recipient to initiator  Mutual authentication  Both party believe they are talking to each other  Done through double challenge-response  Typically 3 messages AB {A,n A } k B {n A,n B } k A {n B } k B Needham-Schroeder public-key protocol (fragment)

22 Key Generation Protocols … A wants to establish channel with B  Shared-key infrastructure  Principals shares a key with a KDC  Public-key infrastructure  Principals have published encryption keys  Diffie-Hellman  Principals know group and generator

23 … with Shared-Key Infrastructure  Each principal has a shared key with KDC S  Ask S to create channel  Create new key k  Distribute k to A and B using k AS and k BS  Examples  Needham-Schroeder shared-key protocol  Otway-Rees, Yahalom, Woo-Lam, … S A B CD … k AS k BS k CS k DS …

24 Needham-Shroeder Shared Key  S creates k AB  1 challenge-response authenticates S to A  2 challenge-response authenticate A and B ASB A,B,n A {n A,B,k AB,{k AB,A} k BS } k AS {k AB,A} k BS {n B } k AB {n B -1} k AB

25 … with Public-Key Infrastructure  Each principal has a certified public key available to others  A and B use k B and k A to communicate securely  Examples  Bilateral key exchange protocol  … CA A B CD … Public data k A, k B, k C, k D

26 Bilateral Key Exchange Protocol  h is a hash function  Certificates could be included  Includes 2 challenge-response exchanges AB A,{n A,B} k B {h(n A ),n B,B,k} k A {h(n B )} k Public data k A, k B

27 … with Diffie-Hellman  Diffie Hellman alone cannot guarantee authentication  Minimum infrastructure required  Public key infrastructure for signatures  Examples  Station-to-station protocol  Found as option in many big protocols  IPSEC, ISAKMP, …

28 Diffie-Hellman Key Exchange Public data p, g A B Choose random a 1  a  p-1 send g a mod p Receive g b mod p (g b ) a = g ab mod p k = h(g ab ) Receive g a mod p Choose random b 1  b  p-1 Send g b mod p (g a ) b = g ab mod p k = h(g ab ) g a mod p g b mod p  A and B produce a shared secret out of nothing  However, no authentication  A has no way to be sure 2 nd message is from B  B has no way to be sure 1 st message is from A

29 Station-to-Station Protocol  This is an authenticated Diffie-Hellman  k’ A and k’ B are public signature keys  Certificates could also be included  g a and g b used for challenge-response  Achieves mutual authentication AB gaga g a,{[g a,g b ] k’ B } k {[g a,g b ] k’ A } k Public data p, g k’ A, k’ B k = g ab

30 Key Distribution Protocols  A and B possess public keys  Registered with certification authority  Certificates not available  Request signed certificates from CA  Examples  Needham-Schroeder public-key protocol  S acts as key database and CA  A and B use nonces for mutual authentication  …

31 Needham-Shroeder Public Key ASB A,B [B,k B ] k’ S {A,n A } k B B,A [A,k A ] k’ S {n A,n B } k A {n B } k B Public data k A, k B

32 Key Translation Protocols  A wants to send message to B … but no server is around to create keys  A exploits existing channels with a trusted third party S  A send m to S encrypted with k AS  S forwards m to B encrypted with k BS  Timestamps or other mechanisms used for authentication  S must be trusted to manipulate them correctly  Examples  Wide-Mouthed Frog protocol

33 Wide-Mouthed Frog Protocol  A generates the key k AB  S provides trusted timestamping  With t A, A authenticates to S  With t S, S authenticates to B  A authenticates to B indirectly  No authentication in the reverse direction ASB A,{t A,B,k AB } k AS {t S,A,k AB } k BS

34 Subprotocols Useful to add structure to protocols  Deterministic choice of continuation  Protocol behaves differently on different inputs  Protocols responds to optional requests  Non-deterministic continuation  Protocol flips a coin  Protocol can request optional behavior  Repeated parts  Repetitive behavior after initial phase  E.g. Neuman-Stubblebine, Kerberos, …

35 Neuman-Subblebine – Initial Part  {A,k AB,t B } k BS is A’s ticket to access B’s service  n A and n B mutually authenticate A and B ASB A,n A B,{A,n A,t B } k BS,n B {B,n A,k AB,t B } k AS,{A,k AB,t B } k BS,n B {A,k AB,t B } k BS,{n B } k AB

36 Neuman-Stubbl. – Repeated Part  A uses ticket to access B’s service  … until it expires  n’ A and n’ B reauthenticate A and B AB {A,k AB,t B } k BS,n’ A n’ B,{n’ A } k AB {n’ B } k AB

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.