Slide 1 Vitaly Shmatikov CS 378 Key Establishment Pitfalls.

Slides:



Advertisements
Similar presentations
CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.
Advertisements

Lecture 10: Mediated Authentication
Chapter 10 Real world security protocols
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
CSC 474 Information Systems Security
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
CS470, A.SelcukNeedham-Schroeder1 Needham-Schroeder Protocol Authentication & Key Establishment CS 470 Introduction to Applied Cryptography Instructor:
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.
More on AuthenticationCS-4513 D-term More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.
EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
CMSC 414 Computer and Network Security Lecture 18 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 23 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.
Topic 11: Key Distribution and Agreement 1 Information Security CS 526 Topic 11: Key Distribution & Agreement, Secure Communication.
Key Distribution CS 470 Introduction to Applied Cryptography
1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Part Two Network Security Applications Chapter 4 Key Distribution and User Authentication.
1 Lecture 14: Real-Time Communication Security real-time communication – two parties interact in real time (as opposed to delayed communication like )
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
Cryptography  Why Cryptography  Symmetric Encryption  Key exchange  Public-Key Cryptography  Key exchange  Certification.
Lecture 14 ISAKMP / IKE Internet Security Association and Key Management Protocol / Internet Key Exchange CIS CIS 5357 Network Security.
Network Security Lecture 23 Presented by: Dr. Munam Ali Shah.
Security protocols  Authentication protocols (this lecture)  Electronic voting protocols  Fair exchange protocols  Digital cash protocols.
Security protocols and their verification Mark Ryan University of Birmingham Midlands Graduate School University of Birmingham April 2005 Steve Kremer.
Using Cryptography for Network Security Common problems: –Authentication - A and B want to prove their identities to one another –Key-distribution - A.
Fall 2010/Lecture 321 CS 426 (Fall 2010) Key Distribution & Agreement.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
Lecture 16: Security CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2004 Chapter 30 Message Security, User Authentication, and Key Management.
1 Needham-Schroeder A --> S: A,B, N A S --> A: {N A,B,K AB,{K AB,A} KBS } KAS A --> B:{K AB,A} KBS B --> A:{N B } KAB A --> B:{N B -1} KAB.
Lecture 5.2: Key Distribution: Private Key Setting CS 436/636/736 Spring 2012 Nitesh Saxena.
6 June Lecture 2 1 TU Dresden - Ws on Proof Theory and Computation Formal Methods for Security Protocols Catuscia Palamidessi Penn State University,
Cryptography 1 Crypto Cryptography 2 Crypto  Cryptology  The art and science of making and breaking “secret codes”  Cryptography  making “secret.
Using Cryptography for Network Security Common problems: –Authentication - A and B want to prove their identities to one another –Key-distribution - A.
The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Authentication Protocols (I): Secure Handshake.
Computer and Network Security - Message Digests, Kerberos, PKI –
Lecture 5.1: Message Authentication Codes, and Key Distribution
Dan Boneh Basic key exchange Trusted 3 rd parties Online Cryptography Course Dan Boneh.
COEN 351 Authentication. Authentication is based on What you know Passwords, Pins, Answers to questions, … What you have (Physical) keys, tokens, smart-card.
Identify Friend or Foe (IFF) Chapter 9 Simple Authentication protocols Namibia Angola 1. N 2. E(N,K) SAAF Impala Russian MIG 1 Military needs many specialized.
1 Authenticated Key Exchange Rocky K. C. Chang 20 March 2007.
9.2 SECURE CHANNELS JEJI RAMCHAND VEDULLAPALLI. Content Introduction Authentication Message Integrity and Confidentiality Secure Group Communications.
Security. Cryptography (1) Intruders and eavesdroppers in communication.
Lesson Introduction ●Authentication protocols ●Key exchange protocols ●Kerberos Security Protocols.
@Yuan Xue CS 285 Network Security Key Distribution and Management Yuan Xue Fall 2012.
Pertemuan #8 Key Management Kuliah Pengaman Jaringan.
@Yuan Xue CS 285 Network Security Secure Socket Layer Yuan Xue Fall 2013.
Dr. Nermi hamza.  A user may gain access to a particular workstation and pretend to be another user operating from that workstation.  A user may eavesdrop.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
Network Security and It’s Issues
Security Handshake Pitfalls. Client Server Hello (K)
Man in the Middle Attacks
AIT 682: Network and Systems Security
Presentation transcript:

slide 1 Vitaly Shmatikov CS 378 Key Establishment Pitfalls

slide 2 Secure Sessions uSecure sessions are one of the most important applications in network security Enable us to talk securely on an insecure network uGoal: secure bi-directional communication channel between two parties The channel must provide confidentiality –Third party cannot read messages on the channel The channel must provide authentication –Each party must be sure who the other party is Other desirable properies: integrity, protection against denial of service, anonymity against eavesdroppers

slide 3 Key Establishment Protocols uCommon implementation of secure sessions: establish a secret key known only to two parties Can then use block ciphers for confidentiality, HMAC for authentication, and so on uChallenge: how to establish a secret key using only public information uEven if the two parties share a long-term secret, a fresh key should be created for each session Long-term secrets are valuable; want to use them as sparingly as possible to limit exposure and the damage if the key is compromised

slide 4 Key Establishment Techniques uUse a trusted key distribution center (KDC) Every party shares a pairwise secret key with KDC KDC creates a new random session key and then distributes it, encrypted under the pairwise keys –Example: Kerberos uUse public-key cryptography Diffie-Hellman authenticated with signatures –Example: IKE (Internet Key Exchange) One party creates a random key, sends it encrypted under the other party’s public key –Example: TLS (Transport Layer Security)

slide 5 Private-Key Needham-Schroeder AliceBob KDC (knows secret keys K Alice and K Bob ) N 1, “I’m Alice, wanna talk to Bob” Creates fresh random session key K AB Encrypt K Alice (N 1,“Bob”,K AB, Encrypt K Bob (K AB,“Alice”)) ticket ticket, Encrypt K AB (N 2 ) Encrypt K AB (N 2 -1, N 3 ) Encrypt K AB (N 3 -1) Fresh, random nonce Another nonce Yet another nonce

slide 6 Weird Reflection Attack Bob Encrypt K AB (N 2 -1, N 3 ) uSuppose symmetric encryption is in ECB mode… Bad idea in general Can’t decrypt, but in ECB mode can extract Encrypt K AB (N 3 ) Open a new session with Bob… Alice’s ticket, Encrypt K AB (N 3 ) Encrypt K AB (N 3 -1, N 4 ) Extract Encrypt K AB (N 3 -1) Now successfully authenticate in first session… Encrypt K AB (N 3 -1) Alice’s ticket, Encrypt K AB (N 2 ) Replay an old message from Alice

slide 7 Otway-Rees Protocol AliceBob KDC (knows secret keys K Alice and K Bob ) Creates fresh random session key K AB N C, “Alice”, “Bob”, Encrypt K Alice (N A,N C,“Alice”,“Bob”) N C, Encrypt K Alice (N A, K AB ) Encrypt K AB (anything recognizable) This nonce is sent in the clearThis nonce is hidden from Bob Encrypt K Alice (N A,N C,“Alice”,“Bob”) Encrypt K Bob (N B,N C,“Alice”,“Bob”) Bob’s own nonce N C, Encrypt K Alice (N A,K AB ), Encrypt K Bob (N B,K AB ),     

slide 8 Brief Analysis of Otway-Rees AliceBob KDC (knows secret keys K Alice and K Bob ) N C, “Alice”, “Bob”, Encrypt K Alice (N A,N C,“Alice”,“Bob”) N C, Encrypt K Alice (N A, K AB ) Encrypt K AB (anything recognizable) Encrypt K Alice (N A,N C,“Alice”,“Bob”) Encrypt K Bob (N B,N C,“Alice”,“Bob”) N C, Encrypt K Alice (N A,K AB ), Encrypt K Bob (N B,K AB ),      Match between these values is the only thing that authenticates Bob to KDC If N C is predictable, attacker can send a bogus message to Bob and fool him into creating Encrypt K Bob (N B,N C,“Alice”,“Bob”). When Alice actually uses N C, attacker will be able to impersonate Bob to KDC. uLesson: randomness of nonces is essential

slide 9 Public-Key Needham-Schroeder Alice Bob Encrypt PublicKey(Bob) (“Alice”, N A ) Encrypt PublicKey(Alice) (N A, N B ) Encrypt PublicKey(Bob) (N B ) Alice’s nonce Bob’s nonce Create new key from N A and N B, e.g., N A  N B Alice’s reasoning: The only person who could know N A is the person who decrypted 1 st message Only Bob can decrypt message encrypted with Bob’s public key Therefore, Bob is on the other end of the line Bob is authenticated! Bob’s reasoning: The only way to learn N B is to decrypt 2 nd message Only Alice can decrypt 2 nd message Therefore, Alice is on the other end Alice is authenticated!

slide 10 Encrypt PublicKey(Bob) (“Alice”, N A ) Evil Bob tricks honest Alice into revealing Charlie’s secret N c Charlie is convinced that he is talking to Alice! [published by Gavin Lowe] Attack on Needham-Schroeder Alice Bob Bob can’t decrypt this message, but he can replay it to Alice Encrypt PublicKey(Alice) (N A, N C ) Evil Bob pretends that he is Alice Charlie Encrypt PublicKey(Charlie) (“Alice”, N A ) Encrypt PublicKey(Alice) (N A, N C ) Encrypt PublicKey(Bob) (N C )

slide 11 Lessons of Needham-Schroeder uYet another example of faulty reasoning Alice is correct that Bob must have decrypted Encrypt PublicKey(Bob) (“Alice”, N A ), but this does not mean that Encrypt PublicKey(Alice) (N A, N B ) came from Bob uIt is important to realize limitations of protocols The attack requires that Alice willingly talk to attacker –Attacker uses a legitimate conversation with Alice to impersonate Alice to Charlie Needham and Schroeder intended this protocol to be used by well-behaved workstations on an insecure network. In their setting, the protocol is correct!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.