CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

Slides:



Advertisements
Similar presentations
AUTHENTICATION AND KEY DISTRIBUTION
Advertisements

CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.
Lecture 10: Mediated Authentication
Chapter 10 Real world security protocols
Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
1 Distributed Computer Security: Authentication and Key Distribution Vijay Jain CSc 8320, Spring 2007.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.
Authentication & Kerberos
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
CMSC 414 Computer (and Network) Security Lecture 26 Jonathan Katz.
Computer Security Key Management
CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
1 Authentication Applications Digital Signatures Security Concerns X.509 Authentication Service Kerberos Based on slides by Dr. Lawrie Brown of the Australian.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
1 Authentication Applications Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW.
CMSC 414 Computer (and Network) Security Lecture 21 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
1 Key Management CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 1, 2004.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
More on AuthenticationCS-4513 D-term More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.
EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
CMSC 414 Computer and Network Security Lecture 18 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 23 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
CMSC 414 Computer (and Network) Security Lecture 24 Jonathan Katz.
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
Topic 11: Key Distribution and Agreement 1 Information Security CS 526 Topic 11: Key Distribution & Agreement, Secure Communication.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
1 Authentication Protocols Celia Li Computer Science and Engineering York University.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.
Part Two Network Security Applications Chapter 4 Key Distribution and User Authentication.
Security protocols  Authentication protocols (this lecture)  Electronic voting protocols  Fair exchange protocols  Digital cash protocols.
15.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Key Management.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
Fall 2010/Lecture 321 CS 426 (Fall 2010) Key Distribution & Agreement.
Topic 14: Secure Communication1 Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication.
Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Authentication Protocols (I): Secure Handshake.
User Authentication  fundamental security building block basis of access control & user accountability  is the process of verifying an identity claimed.
1 Authentication Protocols Rocky K. C. Chang 9 March 2007.
CMSC 414 Computer and Network Security Lecture 18 Jonathan Katz.
Lesson Introduction ●Authentication protocols ●Key exchange protocols ●Kerberos Security Protocols.
@Yuan Xue CS 285 Network Security Key Distribution and Management Yuan Xue Fall 2012.
Pertemuan #8 Key Management Kuliah Pengaman Jaringan.
Dr. Nermi hamza.  A user may gain access to a particular workstation and pretend to be another user operating from that workstation.  A user may eavesdrop.
1 Authentication Celia Li Computer Science and Engineering York University.
Fourth Edition by William Stallings Lecture slides by Lawrie Brown
Security Handshake Pitfalls. Client Server Hello (K)
Cryptography and Network Security
CMSC 414 Computer and Network Security Lecture 15
CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9
KERBEROS.
CDK: Chapter 7 TvS: Chapter 9
AIT 682: Network and Systems Security
Presentation transcript:

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz

Mediated authentication (using a KDC)

Needham-Schroeder  A  KDC: N 1, Alice, Bob  KDC  A: Enc KB {N 1, “Bob”, K AB, ticket}, where ticket = Enc KB {K AB, “Alice”}  A  B: ticket, Enc KAB {N 2 }  B  A: Enc KAB {N 2 -1, N 3 }  A  B: Enc KAB {N 3 -1}

Analysis?  N 1 assures Alice that she is talking to KDC –Prevents key-replay; helps prevent attack when Bob’s key is compromised and then changed  “Bob” authenticated in message 2, and “Alice” in ticket  Uses encryption to authenticate…  –Leads to reflection attack on Bob if, e.g., ECB mode is used in round 4  Vulnerable if Alice’s key (even an old one) compromised –A ticket is eternally valid –Fix using timestamps, or by Alice requesting a nonce from Bob at the very beginning of the protocol

Otway-Rees  Addresses the ticket invalidation problem, in fewer rounds

Otway-Rees  A  B: N, “Alice”, Enc KA {N A, N, “Alice”, “Bob”}  B  KDC: Enc KA {N A, N, “Alice”, “Bob”}, Enc KB {N B, N, “Alice”, “Bob”}  KDC  B: N, Enc KA {N A, K AB }, Enc KB {N B, K AB }  B  A: Enc KA {N A, K AB }  A  B: Enc KAB (timestamp)

Analysis?  Why does Alice believe she is talking to Bob? –(Unfortunately, relies on encryption for authentication)  Why does Bob believe he is talking to Alice?  Note: N should be unpredictable, not just a nonce –Otherwise, can falsely authenticate Bob to Alice

Kerberos  Simpler; assumes loosely coordinated clocks  A  KDC: N, “Bob”  KDC  A: Enc KA {N, “Bob”, K AB, ticket}, where ticket = Enc KB {K AB, “Alice”, exp-time}  A  B: ticket, Enc KAB {timestamp}  B  A: Enc KAB {timestamp+1}

Desiderata and summary  This is not an exhaustive list!  These are concerns to be aware of; in some cases you may decide that certain threats are not a concern  Better to formally define a security model and prove security (but here we will be informal)

Desiderata and summary  Adversary initiating session as client –(Easiest attack to carry out) –No impersonation (obviously!) –No off-line password guessing –Should not learn information that will subsequently allow impersonation of server to client –Be aware of server decrypting/signing unauthenticated challenges –Splicing messages into the session  Similar for adversary accepting connections from client (though this is a harder attack)

Desiderata and summary  Eavesdropping –Should not learn information that would allow for later impersonation (possibly to another replica of Bob) –Messages should be encrypted –No off-line dictionary attacks  Server compromise –Should not learn client’s password –Forward secrecy –Impersonation of client to server(?)

Certificate authorities and PKI

PKI overview  In our discussion of public-key crypto, we have assumed users know each others’ public keys  But how can public keys be reliably distributed? –Download from web page insecure against man-in-the- middle attack –Can be obtained from CD-ROM or in person, but this is impractical in general  One solution: bootstrap new public keys from public keys you already know! –Certificates vouch for binding of public keys to names

Certificates  One party can vouch for the public key of another  Cert(A  B) = Sign SKA (“B”, PK B, info) –“info” can contain expiration time, restrictions, etc.  Can view this as a directed edge in a graph:  If you know A’s public key (and trust its certification), you can learn B’s public key PK A PK B

Transitivity/“certificate chains”  Can learn keys via multiple hops:  Semantics are slightly different here: you may trust A to certify B, but do you trust A to certify that B can certify others? PK A PK B PK C Cert(A  B) Cert(B  C)

Transitivity  Can also infer trust from multiple (disjoint?) paths to the same public key for the same identity –Edges may also have weights indicating level of trust –A difficult problem in general PK A PK B PK C PK D PK E Public keys I already know

Usage of certificates  “Trust anchors” = set of public keys already known (and trusted to certify others)  How to obtain certificates?  Some possibilities: –B “collects” certificate(s) for itself, sends these all when starting a connection –A finds certificates/certificate chains beginning at its own trust anchors and terminating at B –A tells B its trust anchors, B (finds and) sends certificates or certificate chains beginning at those trust anchors and terminating at itself

Certificates in the real world  PGP keyserver  CAs embedded in browsers