CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

Slides:



Advertisements
Similar presentations
AUTHENTICATION AND KEY DISTRIBUTION
Advertisements

CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.
CSC 474 Information Systems Security
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.
CMSC 414 Computer (and Network) Security Lecture 26 Jonathan Katz.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
CMSC 414 Computer (and Network) Security Lecture 21 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 15 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
More on AuthenticationCS-4513 D-term More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.
EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
CMSC 414 Computer and Network Security Lecture 18 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 23 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.
CMSC 414 Computer (and Network) Security Lecture 24 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Authentication System
CMSC 414 Computer (and Network) Security Lecture 25 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 11 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Computer Science Public Key Management Lecture 5.
Strong Password Protocols
CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Part Two Network Security Applications Chapter 4 Key Distribution and User Authentication.
Lecture 11: Strong Passwords
Key Agreement Guilin Wang School of Computer Science 12 Nov
EE515/IS523 Think Like an Adversary Lecture 4 Crypto in a Nutshell Yongdae Kim.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
1 Lecture 9: Cryptographic Authentication objectives and classification one-way –secret key –public key mutual –secret key –public key establishing session.
Digital Signatures, Message Digest and Authentication Week-9.
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Lecture 6.1: Protocols - Authentication and Key Exchange I CS 436/636/736 Spring 2012 Nitesh Saxena.
Kerberos Guilin Wang School of Computer Science 03 Dec
The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Authentication Protocols (I): Secure Handshake.
Wireless Network Security CSIS 5857: Encoding and Encryption.
Identify Friend or Foe (IFF) Chapter 9 Simple Authentication protocols Namibia Angola 1. N 2. E(N,K) SAAF Impala Russian MIG 1 Military needs many specialized.
1 Authentication Protocols Rocky K. C. Chang 9 March 2007.
1 Authenticated Key Exchange Rocky K. C. Chang 20 March 2007.
Chapter 9 Simple Authentication Protocols Simple Security Protocol Authentication Protocols Authentication and TCP Chapter 9 Simple Authentication protocols.
Lesson Introduction ●Authentication protocols ●Key exchange protocols ●Kerberos Security Protocols.
Chapter eight: Authentication Protocols 2013 Term 2.
1 Example security systems n Kerberos n Secure shell.
Fourth Edition by William Stallings Lecture slides by Lawrie Brown
Security Handshake Pitfalls. Client Server Hello (K)
Computer Communication & Networks
CMSC 414 Computer and Network Security Lecture 15
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
AIT 682: Network and Systems Security
Presentation transcript:

CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz

Challenge-response  Client and server share a key k  Generically: server sends R; user sends f(k, R)  For which f will this be secure?  What if R is non-repeating, but predictable?  Drawbacks –No mutual authentication –No key exchange –Dictionary attack if k is low entropy –Insecure against server compromise

“Reverse” challenge-response  Server sends f(k, R) and client sends R –I.e., send a ciphertext and have user decrypt it  Mutual authentication (if decrypts “validly”)??  Which f are suitable?  Weaknesses? –Uses encryption for authentication (Note that a MAC cannot, in general, be used) –Vulnerable to dictionary attack just by false attempted login (not eavesdropping) –Authentication of server assumes no replay…

Single-flow protocol  Use time instead of a server-generated challenge  User sends –What if she had used encryption, or a hash? –What about just sending MAC K (time)?  No server state; single message  Considerations? –Requires (loosely) synchronized clocks –Must guard against replay… –What if user has same key on multiple servers? –Clock reset attacks; clock DoS attacks! –No mutual authentication

Public-key protocol  What if we instantiate challenge-response or reverse challenge-response with signatures or public-key encryption? –Is it secure?  Possible resistance to server compromise (as we have seen already)  Is it a problem that the adversary can get the client to sign an arbitrary value? –Use different keys for different purposes

Adding mutual authentication  Double challenge-response in 4 rounds  Client sends their name  Server sends a nonce R  Client sends f(k, R) and R’  Server sends f(k, R’)  Again, what f should be used?

Mutual authentication in 3 rounds?  Can we compress the previous protocol to 3 rounds? –Client sends their name, R’ –Server sends f(k, R’) and R –Client sends f(k, R)  Seems ok…

Mutual authentication in 3 rounds  Insecure! (reflection attack using two server connections…) –Also vulnerable to off-line password guessing without eavesdropping –To improve security, make protocol asymmetric –No such attack on original protocol Security principle: let initiator prove its identity first  A good illustration that designing secure protocols is very subtle! –Another warning against modifying existing protocols even in seemingly “innocuous” ways

Using timestamps?  User sends, server responds with MAC K (time+1) –What if they used encryption instead?  Vulnerabilities? –Symmetric protocol…

A public-key protocol  Client sends Enc pks (R)  Server sends R, Enc pkc (R’)  Client sends R’  Security? –Vulnerable to chosen-ciphertext attacks… –Seems better to use signatures  How does the client obtain pks and skc? –One option is to download “credentials” from another site using a password

Establishing a session key  Use the (secure) double challenge-response protocol from earlier; let the session key be F k (R+1) –Is this secure? –How to fix?  (Note: the fix suggested in the book is bad)

Public-key based…  Include E pk (session-key) in protocol? –No authentication of the ciphertext  Encrypt session-key and sign the result? –No forward secrecy… –Potentially vulnerable to replay attacks  Client sends E pks (R 1 ); server sends E pkc (R 2 ); session key is R 1 +R 2 –Reasonable… –Why isn’t it a problem that the ciphertexts are not authenticated? –Implicit vs. explicit authentication

Authenticated Diffie-Hellman  Add signatures/MACs and nonces to Diffie- Hellman protocol –Note: achieves forward secrecy –A lot of subtle details involved…

Authentication with password + public key  Say that only the server has a known public key (e.g., SSL) –Server sends R –Client sends E pk (R, password, session-key)  Insecure in general!!! –But secure if encryption scheme is chosen appropriately  Can be extended to give mutual authentication