Key Exchange Protocols J. Mitchell CS 2592008. Next few lectures uToday 1/17 Some possible projects Key exchange protocols and properties uTuesday 1/19.

Slides:



Advertisements
Similar presentations
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Advertisements

Key Exchange Protocols J. Mitchell CS 259. Next few lectures uToday Key exchange protocols and properties uThursday Cathy Meadows: GDOI uNext Tues Contract-signing.
Key Management Protocols and Compositionality John Mitchell Stanford TECS Week2005.
L8. Reviews Rocky K. C. Chang, May Foci of this course 2 Rocky K. C. Chang  Understand the 3 fundamental cryptographic functions and how they are.
1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Security at the Network Layer: IPSec
IP Security and Key Establishment CS 395T. Plan for the Next Few Lectures uToday: “systems” lecture on IP Security and design of key exchange protocols.
Chapter 5 Network Security Protocols in Practice Part I
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
IPsec – IKE CS 470 Introduction to Applied Cryptography
Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.
WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)
Analysis of Security Protocols (I) John C. Mitchell Stanford University.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
Slide 1 Vitaly Shmatikov CS 378 Key Establishment Pitfalls.
Just Fast Keying (JFK) Protocol 18739A: Foundations of Security and Privacy Anupam Datta CMU Fall
Security Protocols John Mitchell CS 155May 26, 2005.
Logic for Protocol Composition A. Datta, A. Derek, J. Mitchell, D. Pavlovic.
IPSec: Internet Key Exchange
Internet Security CSCE 813 IPsec. CSCE Farkas2 Reading Today: – Oppliger: IPSec: Chapter 14 – Stalllings: Network Security Essentials, 3 rd edition,
TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.
1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.
1 Authentication Protocols Celia Li Computer Science and Engineering York University.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Computer Science Public Key Management Lecture 5.
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Part Two Network Security Applications Chapter 4 Key Distribution and User Authentication.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
IPsec: IKE, Internet Key Exchange IPsec does not use Public Key Infrastructure and exchanging keys before an IPsec connection is established is a problem.
1 Lecture 14: Real-Time Communication Security real-time communication – two parties interact in real time (as opposed to delayed communication like )
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
Key Exchange Protocols J. Mitchell CS 259. Next few lectures uToday 1/17 Brief cryptography background Key exchange protocols and properties uThursday.
1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.
IP Security Lawrence Taub IPSEC IP security — security built into the IP layer Provides host-to-host (or router-to-router) encryption and.
Lecture 14 ISAKMP / IKE Internet Security Association and Key Management Protocol / Internet Key Exchange CIS CIS 5357 Network Security.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
1 Lecture 16: IPsec IKE history of IKE Photurus IKE phases –phase 1 aggressive mode main mode –phase 2.
Fall 2010/Lecture 321 CS 426 (Fall 2010) Key Distribution & Agreement.
IPSEC : KEY MANAGEMENT PRESENTATION BY: SNEHA A MITTAL(121427)
Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.
Lecture 16: Security CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9.
Digital Signatures, Message Digest and Authentication Week-9.
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
1 Chapter 10: Key Management in Public key cryptosystems Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Modified by Prof. M. Singhal,
IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.
Computer and Network Security - Message Digests, Kerberos, PKI –
Group 9 Chapter 8.3 – 8.6. Public Key Algorithms  Symmetric Key Algorithms face an inherent problem  Keys must be distributed to all parties but kept.
Protocol Analysis. CSCE Farkas 2 Cryptographic Protocols Two or more parties Communication over insecure network Cryptography used to achieve goal.
Key Management Network Systems Security Mort Anvari.
CPS Computer Security Tutorial on Creating Certificates SSH Kerberos CPS 290Page 1.
Cryptography and Network Security (CS435) Part Thirteen (IP Security)
1 Authenticated Key Exchange Rocky K. C. Chang 20 March 2007.
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
1 Secure Key Exchange: Diffie-Hellman Exchange Dr. Rocky K. C. Chang 19 February, 2002.
Fall 2006CS 395: Computer Security1 Key Management.
@Yuan Xue CS 285 Network Security Key Distribution and Management Yuan Xue Fall 2012.
Dr. Nermi hamza.  A user may gain access to a particular workstation and pretend to be another user operating from that workstation.  A user may eavesdrop.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
Fourth Edition by William Stallings Lecture slides by Lawrie Brown
Key Management Protocols and Compositionality John Mitchell Stanford TECS Week2005.
Chapter 5 Network Security Protocols in Practice Part I
Reviews Rocky K. C. Chang 20 April 2007.
Computer Communication & Networks
Just Fast Keying (JFK) Protocol
CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9
CDK: Chapter 7 TvS: Chapter 9
Presentation transcript:

Key Exchange Protocols J. Mitchell CS

Next few lectures uToday 1/17 Some possible projects Key exchange protocols and properties uTuesday 1/19 Contract-signing protocols Choose project partner, topic? uNext Thurs 1/24 Wireless security: i Homework #1 due uTuesday 1/29 Probabilistic model checking uProject presentation #1 1/31 One page, 1-2 slides on your project topic

Course projects Choose a subject u Network protocol Wired networking (VoIP?) Wireless Mobility u Security system Tamper-proof chip “Trusted computing” u Privacy, security policy HIPAA GLBA … Choose a tool u Murphi Standard finite-state tool u PRISM probabilistic checker u MOCHA Games, temporal logic u Constraint solvers u Avispa tool set u Prolog u Isabelle Automated theorem proving

Some project topics uAdd timestamps to Kerberos uGroup key handshake from i uIPv6 binding update (already taken?) u802.1af, DKIM, … uTCG protocols register TPM to CA, … uHIPAA, other privacy laws, GLBA,... uVoting machine, voting procedure election board “programs” election, votes cast, counted, possibly recounted … Send or talk with us about choosing a project

Process uChoose your project partner You can work alone, or with another person uChose a subject for your project Can be something already familiar Project presentation #1 at this point! uFormulate an “abstraction” of system Separate relevant and irrelevant details Identify security properties of interest uChoose a tool and method uComplete your study. Success! Clear explanation of security goals Possible bugs or insecure configurations Identify proper, improper use

Key Management uOut of band Can set up some keys this way (Kerberos) uPublic-key infrastructure (PKI) Leverage small # of public signing keys uProtocols for session keys Generate short-lived session key Avoid extended use of important secret Don’t use same key for encryption and signing Forward secrecy Cryptography reduces many problems to key management

Public-Key Infrastructure Certificate Authority ClientServer Known public signature verification key Ka Sign(Ka, Ks), Sign(Ks, msg) Certificate Sign(Ka, Ks) Ks Server certificate can be verified by any client that has CA key Ka Certificate authority is “off line”

Key Distribution: Kerberos Idea Client KeyCenter Server Shared symmetric key Kc Shared symmetric key Ks {Kcs, {Kcs} Ks } Kc {Kcs} Ks { msg } Kcs Key Center generates session key Kcs and distributes using shared long-term keys

Key Exchange uParties may have initial information uGenerate and agree on session key Authentication – know ID of other party Secrecy – key not known to any others Avoid replay attack Forward secrecy Avoid denial of service Identity protection – disclosure to others Other properties you can think of???

Diffie-Hellman Key Exchange uAssume finite group G =  S,   Generator g so every x  S is x = g n Example: integers modulo prime p uProtocol g a mod p g b mod p A B Alice, Bob share g ab mod p not known to anyone else

Diffie-Hellman Key Exchange Authentication? Secrecy? Replay attack Forward secrecy? Denial of service? Identity protection? g a mod p g b mod p A B

IPSec: Network Layer Security uAuthentication Header (AH) Access control and authenticate data origins replay protection No confidentiality uEncapsulated Secure Payload (ESP) Encryption and/or authentication uInternet Key Management (IKE) Determine and distribute secret keys Oakley + ISAKMP Algorithm independent uSecurity policy database (SPD) discarded, or bypass

IKE: Many modes uMain mode Authentication by pre-shared keys Auth with digital signatures Auth with public-key encryption Auth with revised public-key encryption uQuick mode Compress number of messages Also four authentication options

Aug 2001 Position Statement u In the several years since the standardization of the IPSEC protocols (ESP, AH, and ISAKMP/IKE), … several security problems…, most notably IKE. uFormal and semi-formal analyses by Meadows, Schneier et al, and Simpson, have shown … security problems in IKE stem directly from its complexity. uIt seems … only a matter of time before serious *implementation* problems become apparent, again due to the complex nature of the protocol, and the complex implementation that must surely follow. uThe Security Area Directors have asked the IPSEC working group to come up with a replacement for IKE.

How to study complex protocol

General Problem in Security uDivide-and-conquer is fundamental Decompose system requirements into parts Develop independent software modules Combine modules to produce required system uCommon belief: Security properties do not compose Difficult system development problem

Example protocol Protocol P1 A  B : {message} KB A  B : KA -1 uThis satisfies basic requirements Message is transmitted under encryption Revealing secret key KA -1 does not reveal message

Similar protocol Protocol P2 B  A : {message’} KA B  A : KB -1 uTransmits msg securely from B to A Message is transmitted under encryption Revealing secret key KB -1 does not reveal message

Composition P1; P2 uSequential composition of two protocols A  B : {message} KB A  B : KA -1 B  A : {message’} KA B  B : KB -1 uDefinitely not secure Eavesdropper learns both keys, decrypts messages

STS family m=g x, n=g y k=g xy STS 0H STS a STS aH STS H STS 0 STS PH JFK 1 distribute certificates cookie open responder JFK 0 symmetric hash JFK protect identities RFK STS P

Example uConstruct protocol with properties: Shared secret Authenticated Identity Protection DoS Protection uDesign requirements for IKE, JFK, IKEv2 (IPSec key exchange protocol)

Component 1 uDiffie-Hellman A  B: g a B  A: g b Shared secret (with someone) –A deduces: Knows(Y, g ab)  (Y = A) ۷ Knows(Y,b) Authenticated Identity Protection DoS Protection

Component 2 uChallenge Response: A  B: m, A B  A: n, sig B {m, n, A} A  B: sig A {m, n, B} Shared secret (with someone) Authenticated –A deduces: Received (B, msg1) Λ Sent (B, msg2) Identity Protection DoS Protection

Composition uISO protocol: A  B: g a, A B  A: g b, sig B {g a, g b, A} A  B: sig A {g a, g b, B} Shared secret: gab Authenticated Identity Protection DoS Protection m := g a n := g b

Refinement uEncrypt signatures: A  B: g a, A B  A: g b, E K {sig B {g a, g b, A}} A  B: E K {sig A {g a, g b, B}} Shared secret: gab Authenticated Identity Protection DoS Protection

Transformation uUse cookie: JFK core protocol A  B: g a, A B  A: g b, hash KB {g b, g a } A  B: g a, g b, hash KB {g b, g a } E K {sig A {g a, g b, B}} B  A: g b, E K {sig B {g a, g b, A}} Shared secret: gab Authenticated Identity Protection DoS Protection (Here B must store b in step 2, but we’ll fix this later…)

Cookie transformation uTypical protocol Client sends request to server Server sets up connection, responds Client may complete session or not (DOS) uCookie version Client sends request to server Server sends hashed data back –Send message #2 later after client confirms Client confirms by returning hashed data Need extra step to send postponed message

Cookie in JFK uProtocol susceptible to DOS A  B: g a, A B  A: g b, E K {sig B {g a, g b, A}} A  B: E K {sig A {g a, g b, B}} uUse cookie: JFK core protocol A  B: g a, A B  A: g b, hash KB {g b, g a } A  B: g a, g b, hash KB {g b, g a }, eh2 B  A: g b, eh1 eh1 eh2

Efficiency: Reuse D-H key uCostly to compute g a, g b, g ab uSolution Keep medium-term g a, g b (change ~10 min) Replace g a by pair g a, nonce uJFKi, JFKr protocols (except cert or grpinfo, …) A  B: Na, g a, A B  A: Nb, g b, hash KB {Nb, Na, g b, g a } A  B: Na, Nb, g a, g b, hash KB {Nb, Na, g b, g a }, E K {sig A {Na, Nb, g a, g b, B}} B  A: g b, E K {sig B {Na, Nb, g a, g b, A}} Note: B does not need to store any short-term data in step 2

Conclusion uMany protocol properties Authentication Secrecy Prevent replay Forward secrecy Denial of service Identity protection uSystematic understanding is possible But be careful; easy to make mistakes State of the art: need to analyze complete protocol