Courtesy of Professors Chris Clifton & Matt Bishop INFSCI 2935: Introduction of Computer Security1 Nov 4, 2003 Introduction to Computer Security Lecture.

Slides:



Advertisements
Similar presentations
Chapter 14 – Authentication Applications
Advertisements

Courtesy of Professors Chris Clifton & Matt Bishop INFSCI 2935: Introduction of Computer Security1 October 9, 2003 Introduction to Computer Security Lecture.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
DIGITAL SIGNATURES and AUTHENTICATION PROTOCOLS - Chapter 13
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 8 Nov 2, 2010 Key Management Network Security.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
1 Chapter 13 – Digital Signatures & Authentication Protocols Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,
CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.
SMUCSE 5349/73491 Authentication Protocols. SMUCSE 5349/73492 The Premise How do we use perfect cryptographic mechanisms (signatures, public-key and symmetric.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #9-1 Chapter 9: Key Management Session and Interchange Keys Key Exchange Cryptographic.
1 Digital Signatures CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 12, 2004.
Chapter 9: Key Management
1 Key Management CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 1, 2004.
More on AuthenticationCS-4513 D-term More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.
Computer Security1 Bishop: Chapter 9 Key Management.
Slide #9-1 Chapter 9: Key Management Session and Interchange Keys Key Exchange Cryptographic Key Infrastructure Storing and Revoking Keys Digital Signatures.
CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Computer Science Public Key Management Lecture 5.
Chapter 31 Network Security
Csci5233 Computer Security1 Bishop: Chapter 10 Key Management: Digital Signature.
Page 1 Secure Communication Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.
Bob can sign a message using a digital signature generation algorithm
Csci5233 Computer Security1 Bishop: Chapter 10 (Cont.) Key Management: Storage & Revoking.
IT 221: Introduction to Information Security Principles Lecture 6:Digital Signatures and Authentication Protocols For Educational Purposes Only Revised:
Digital Signatures. Public Key Cryptography Public Key Cryptography Requirements 1.It must be computationally easy to encipher or decipher a message.
1 IS 2150 / TEL 2810 Information Security & Privacy James Joshi Associate Professor, SIS Lecture 2 Sept 4, 2013 Key Management Network Security.
1 Chapter 9: Key Management All algorithms we have introduced are based on one assumption: keys have been distributed. But how to do that? Key generation,
Chapter 21 Distributed System Security Copyright © 2008.
Network Security Lecture 23 Presented by: Dr. Munam Ali Shah.
Courtesy of Professors Chris Clifton & Matt Bishop INFSCI 2935: Introduction of Computer Security1 October 2, 2003 Introduction to Computer Security Lecture.
1 IS 2150 / TEL 2810 Introduction to Security James Joshi Assistant Professor, SIS Lecture 10 Nov 8, 2007 Hash Functions Key Management.
Key Management. Session and Interchange Keys  Key management – distribution of cryptographic keys, mechanisms used to bind an identity to a key, and.
Week 4 - Wednesday.  What did we talk about last time?  RSA algorithm.
Key Management and Identity CS461/ECE422 Spring 2012.
1 Key Management CS461/ECE422 Fall Reading Handbook of Applied Cryptography
Cryptography and Network Security Chapter 13 Fourth Edition by William Stallings.
Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.
Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.
INFSCI 2935: Introduction to Computer Security1 Project Implementation Implementation  Reasonable sophistication  Up to 3 people maximum Survey type.
Lecture 16: Security CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9.
Digital Signatures, Message Digest and Authentication Week-9.
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Authentication Protocols (I): Secure Handshake.
Lecture 11 Overview. Digital Signature Properties CS 450/650 Lecture 11: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
Csci5233 Computer Security1 Bishop: Chapter 10 Key Management.
Slide #9-1 Chapter 9: Key Management Session and Interchange Keys Key Exchange Cryptographic Key Infrastructure Storing and Revoking Keys Digital Signatures.
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
1 Secure Key Exchange: Diffie-Hellman Exchange Dr. Rocky K. C. Chang 19 February, 2002.
1IS2150/TEL2810: Introduction to Computer Security Nov 1, 2005 Introduction to Computer Security Lecture 8 Key Management.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
Fourth Edition by William Stallings Lecture slides by Lawrie Brown
Contents Introduction. 9.1 Session and Interchange Keys.
Chapter 9. Key management
Key Management October 26, 2006 Lecture 7
Project Implementation Survey type paper New idea/research ??
Public Key Infrastructure (PKI)
Overview Key exchange Cryptographic key infrastructure Key storage
Bishop: Chapter 10 Key Management: Digital Signature
Chapter 9: Key Management
Presentation transcript:

Courtesy of Professors Chris Clifton & Matt Bishop INFSCI 2935: Introduction of Computer Security1 Nov 4, 2003 Introduction to Computer Security Lecture 8 Key Management

INFSCI 2935: Introduction to Computer Security2 Issues Authentication and distribution of keys Authentication and distribution of keys  Session key  Key exchange protocols Mechanisms to bind an identity to a key Mechanisms to bind an identity to a key Generation, maintenance and revoking of keys Generation, maintenance and revoking of keys

INFSCI 2935: Introduction to Computer Security3 Notation X  Y : { Z || W } k X,Y X  Y : { Z || W } k X,Y  X sends Y the message produced by concatenating Z and W enciphered by key k X,Y, which is shared by users X and Y A  T : { Z } k A || { W } k A,T A  T : { Z } k A || { W } k A,T  A sends T a message consisting of the concatenation of Z enciphered using k A, A’s key, and W enciphered using k A,T, the key shared by A and T r 1, r 2 nonces (nonrepeating random numbers) r 1, r 2 nonces (nonrepeating random numbers)

INFSCI 2935: Introduction to Computer Security4 Session, Interchange Keys Alice wants to send a message m to Bob Alice wants to send a message m to Bob  Assume public key encryption  Alice generates a random cryptographic key k s and uses it to encipher m To be used for this message only Called a session key  She enciphers k s with Bob’s public key k B k B enciphers all session keys Alice uses to communicate with Bob Called an interchange key  Alice sends { m } k s { k s } k B

INFSCI 2935: Introduction to Computer Security5 Benefits Limits amount of traffic enciphered with single key Limits amount of traffic enciphered with single key  Standard practice, to decrease the amount of traffic an attacker can obtain Makes replay attack less effective Makes replay attack less effective Prevents some attacks Prevents some attacks  Example: Alice will send Bob message that is either “BUY” or “SELL”.  Eve computes possible ciphertexts {“BUY”} k B and {“SELL”} k B.  Eve intercepts enciphered message, compares, and gets plaintext at once

INFSCI 2935: Introduction to Computer Security6 Key Exchange Algorithms Goal: Alice, Bob use a shared key to communicate secretely Goal: Alice, Bob use a shared key to communicate secretely Criteria Criteria  Key cannot be sent in clear Attacker can listen in Key can be sent enciphered, or derived from exchanged data plus data not known to an eavesdropper  Alice, Bob may trust third party  All cryptosystems, protocols publicly known Only secret data is the keys, ancillary information known only to Alice and Bob needed to derive keys Anything transmitted is assumed known to attacker

INFSCI 2935: Introduction to Computer Security7 Classical Key Exchange How do Alice, Bob begin? How do Alice, Bob begin?  Alice can’t send it to Bob in the clear! Assume trusted third party, Cathy Assume trusted third party, Cathy  Alice and Cathy share secret key k A  Bob and Cathy share secret key k B Use this to exchange shared key k s Use this to exchange shared key k s

INFSCI 2935: Introduction to Computer Security8 Simple Key Exchange Protocol Alice Cathy { request for session key to Bob } k A Alice Cathy { k s }k A, { k s }k B Alice Bob { k s } k B Alice Bob {m}ks{m}ks Eve

INFSCI 2935: Introduction to Computer Security9 Problems How does Bob know he is talking to Alice? How does Bob know he is talking to Alice?  Replay attack: Eve records message from Alice to Bob, later replays it; Bob may think he’s talking to Alice, but he isn’t  Session key reuse: Eve replays message from Alice to Bob, so Bob re-uses session key Protocols must provide authentication and defense against replay Protocols must provide authentication and defense against replay

INFSCI 2935: Introduction to Computer Security10 Needham-Schroeder AliceCathy Alice || Bob || r 1 AliceCathy { Alice || Bob || r 1 || k s, { Alice || k s } k B } k A AliceBob { Alice || k s } k B AliceBob { r 2 } k s AliceBob { r 2 – 1 } k s

INFSCI 2935: Introduction to Computer Security11 Argument: Alice talking to Bob Second message Second message  Enciphered using key only she, Cathy know So Cathy enciphered it  Response to first message As r 1 in it matches r 1 in first message Third message Third message  Alice knows only Bob can read it As only Bob can derive session key from message  Any messages enciphered with that key are from Bob

INFSCI 2935: Introduction to Computer Security12 Argument: Bob talking to Alice Third message Third message  Enciphered using key only he, Cathy know So Cathy enciphered it  Names Alice, session key Cathy provided session key, says Alice is other party Fourth message Fourth message  Uses session key to determine if it is replay from Eve If not, Alice will respond correctly in fifth message If so, Eve can’t decipher r 2 and so can’t respond, or responds incorrectly

INFSCI 2935: Introduction to Computer Security13 Problem with Needham-Schroeder Assumption: all keys are secret Assumption: all keys are secret Question: suppose Eve can obtain session key. How does that affect protocol? Question: suppose Eve can obtain session key. How does that affect protocol?  In what follows, Eve knows k s EveBob { Alice || k s } k B [Replay] EveBob { r 3 } k s [Eve intercepts] EveBob { r 3 – 1 } k s

INFSCI 2935: Introduction to Computer Security14 Solution: Denning-Sacco Modification In protocol above, Eve impersonates Alice In protocol above, Eve impersonates Alice Problem: replay in third step Problem: replay in third step  First in previous slide Solution: use time stamp T to detect replay Solution: use time stamp T to detect replay  Needs synchronized clocks Weakness: if clocks not synchronized, may either reject valid messages or accept replays Weakness: if clocks not synchronized, may either reject valid messages or accept replays  Parties with either slow or fast clocks vulnerable to replay  Resetting clock does not eliminate vulnerability

INFSCI 2935: Introduction to Computer Security15 Needham-Schroeder with Denning-Sacco Modification AliceCathy Alice || Bob || r 1 AliceCathy { Alice || Bob || r 1 || k s || { Alice || T || k s } k B } k A AliceBob { Alice || T || k s } k B AliceBob { r 2 } k s AliceBob { r 2 – 1 } k s

INFSCI 2935: Introduction to Computer Security16 Otway-Rees Protocol Corrects problem Corrects problem  That is, Eve replaying the third message in the protocol Does not use timestamps Does not use timestamps  Not vulnerable to the problems that Denning- Sacco modification has Uses integer n to associate all messages with a particular exchange Uses integer n to associate all messages with a particular exchange

INFSCI 2935: Introduction to Computer Security17 The Protocol AliceBob n || Alice || Bob || { r 1 || n || Alice || Bob } k A CathyBob n || Alice || Bob || { r 1 || n || Alice || Bob } k A || { r 2 || n || Alice || Bob } k B CathyBob n || { r 1 || k s } k A || { r 2 || k s } k B AliceBob n || { r 1 || k s } k A

INFSCI 2935: Introduction to Computer Security18 Argument: Alice talking to Bob Fourth message Fourth message  If n matches first message, Alice knows it is part of this protocol exchange  Cathy generated k s because only she, Alice know k A  Enciphered part belongs to exchange as r 1 matches r 1 in encrypted part of first message

INFSCI 2935: Introduction to Computer Security19 Argument: Bob talking to Alice Third message Third message  If n matches second message, Bob knows it is part of this protocol exchange  Cathy generated k s because only she, Bob know k B  Enciphered part belongs to exchange as r 2 matches r 2 in encrypted part of second message

INFSCI 2935: Introduction to Computer Security20 Replay Attack Eve acquires old k s, message in third step Eve acquires old k s, message in third step  n || { r 1 || k s } k A || { r 2 || k s } k B Eve forwards appropriate part to Alice Eve forwards appropriate part to Alice  Alice has no ongoing key exchange with Bob: n matches nothing, so is rejected  Alice has ongoing key exchange with Bob: n does not match, so is again rejected If replay is for the current key exchange, and Eve sent the relevant part before Bob did, Eve could simply listen to traffic; no replay involved

INFSCI 2935: Introduction to Computer Security21 Public Key Key Exchange Here interchange keys known Here interchange keys known  e A, e B Alice and Bob’s public keys known to all  d A, d B Alice and Bob’s private keys known only to owner Simple protocol Simple protocol  k s is desired session key Alice Bob { k s } e B

INFSCI 2935: Introduction to Computer Security22 Problem and Solution Vulnerable to forgery or replay Vulnerable to forgery or replay  Because e B known to anyone, Bob has no assurance that Alice sent message Simple fix uses Alice’s private key Simple fix uses Alice’s private key  k s is desired session key Alice Bob { { k s } d A } e B

INFSCI 2935: Introduction to Computer Security23 Notes Can include message enciphered with k s Can include message enciphered with k s Assumes Bob has Alice’s public key, and vice versa Assumes Bob has Alice’s public key, and vice versa  If not, each must get it from public server  If keys not bound to identity of owner, attacker Eve can launch a man-in-the-middle attack (next slide; Cathy is public server providing public keys)

INFSCI 2935: Introduction to Computer Security24 Man-in-the-Middle Attack Alice Cathy send me Bob’s public key Eve Cathy send me Bob’s public key Eve Cathy eBeB Alice eEeE Eve Alice Bob { k s } e E Eve Bob { k s } e B Eve intercepts request Eve intercepts message

INFSCI 2935: Introduction to Computer Security25 Key Generation Goal: generate difficult to guess keys Goal: generate difficult to guess keys Problem statement: given a set of K potential keys, choose one randomly Problem statement: given a set of K potential keys, choose one randomly  Equivalent to selecting a random number between 0 and K–1 inclusive Why is this hard: generating random numbers Why is this hard: generating random numbers  Actually, numbers are usually pseudo-random, that is, generated by an algorithm

INFSCI 2935: Introduction to Computer Security26 What is “Random”? Sequence of cryptographically random numbers: a sequence of numbers n 1, n 2, … such that for any integer k > 0, an observer cannot predict n k even if all of n 1, …, n k–1 are known Sequence of cryptographically random numbers: a sequence of numbers n 1, n 2, … such that for any integer k > 0, an observer cannot predict n k even if all of n 1, …, n k–1 are known  Best: physical source of randomness Electromagnetic phenomena Characteristics of computing environment such as disk latency Ambient background noise

INFSCI 2935: Introduction to Computer Security27 What is “Pseudorandom”? Sequence of cryptographically pseudorandom numbers: sequence of numbers intended to simulate a sequence of cryptographically random numbers but generated by an algorithm Sequence of cryptographically pseudorandom numbers: sequence of numbers intended to simulate a sequence of cryptographically random numbers but generated by an algorithm  Very difficult to do this well Linear congruential generators [n k = (an k–1 + b) mod n] broken (a, b and n are relatively prime) Polynomial congruential generators [n k = (a j n k–1 j + … + a 1 n k–1 a 0 ) mod n] broken too Here, “broken” means next number in sequence can be determined

INFSCI 2935: Introduction to Computer Security28 Best Pseudorandom Numbers Strong mixing function: function of 2 or more inputs with each bit of output depending on some nonlinear function of all input bits Strong mixing function: function of 2 or more inputs with each bit of output depending on some nonlinear function of all input bits  Examples: DES, MD5, SHA-1  Use on UNIX-based systems: (date; ps gaux) | md5 where “ps gaux” lists all information about all processes on system

INFSCI 2935: Introduction to Computer Security29 Digital Signature Construct that authenticates origin, contents of message in a manner provable to a disinterested third party (“judge”) Construct that authenticates origin, contents of message in a manner provable to a disinterested third party (“judge”) Sender cannot deny having sent message (service is “nonrepudiation”) Sender cannot deny having sent message (service is “nonrepudiation”)  Limited to technical proofs Inability to deny one’s cryptographic key was used to sign  One could claim the cryptographic key was stolen or compromised Legal proofs, etc., probably required;

INFSCI 2935: Introduction to Computer Security30 Common Error Classical: Alice, Bob share key k Classical: Alice, Bob share key k  Alice sends m || { m }k to Bob This is a digital signature WRONG This is not a digital signature This is not a digital signature  Why? Third party cannot determine whether Alice or Bob generated message

INFSCI 2935: Introduction to Computer Security31 Classical Digital Signatures Require trusted third party Require trusted third party  Alice, Bob each share keys with trusted party Cathy To resolve dispute, judge gets { m }k Alice, { m }k Bob, and has Cathy decipher them; if messages matched, contract was signed To resolve dispute, judge gets { m }k Alice, { m }k Bob, and has Cathy decipher them; if messages matched, contract was signed Alice Bob Cathy Bob { m }k Alice { m }k Bob

INFSCI 2935: Introduction to Computer Security32 Public Key Digital Signatures Alice’s keys are d Alice, e Alice Alice’s keys are d Alice, e Alice Alice sends Bob Alice sends Bob m || { m }d Alice In case of dispute, judge computes In case of dispute, judge computes { { m }d Alice }e Alice and if it is m, Alice signed message and if it is m, Alice signed message  She’s the only one who knows d Alice !

INFSCI 2935: Introduction to Computer Security33 RSA Digital Signatures Use private key to encipher message Use private key to encipher message  Protocol for use is critical Key points: Key points:  Never sign random documents, and when signing, always sign hash and never document Mathematical properties can be turned against signer  Sign message first, then encipher Changing public keys causes forgery

INFSCI 2935: Introduction to Computer Security34 Attack #1 Example: Alice, Bob communicating Example: Alice, Bob communicating  n A = 95, e A = 59, d A = 11  n B = 77, e B = 53, d B = contracts, numbered 00 to contracts, numbered 00 to 25  Alice has Bob sign 05 and 17: c = m d B mod n B = mod 77 = 3 c = m d B mod n B = mod 77 = 19  Alice computes 05  17 mod 77 = 08; corresponding signature is 03  19 mod 77 = 57; claims Bob signed 08  Note: [(a mod n) × (b mod n)] mod n = (a × b) mod n  Judge computes c e B mod n B = mod 77 = 08 Signature validated; Bob is toast!

INFSCI 2935: Introduction to Computer Security35 Attack #2: Bob’s Revenge Bob, Alice agree to sign contract 06 Bob, Alice agree to sign contract 06 Alice enciphers, then signs: Alice enciphers, then signs:  Enciper: c = m e B mod n B = (06 53 mod 77) 11  Sign: c d A mod n A = (06 53 mod 77) 11 mod 95 = 63 Bob now changes his public key Bob now changes his public key  Bob wants to claim that Alice singed N (13)  Computes r such that 13 r mod 77 = 6; say, r = 59  Computes r.e B mod  (n B ) = 59  53 mod 60 = 7  Replace public key e B with 7, private key d B = 43 Bob claims contract was 13. Judge computes: Bob claims contract was 13. Judge computes:  (63 59 mod 95) 43 mod 77 = 13  Verified; now Alice is toast Solution: sign first and then encipher!! Solution: sign first and then encipher!!

INFSCI 2935: Introduction to Computer Security36 El Gamal Digital Signature Relies on discrete log problem Relies on discrete log problem Choose p prime, g, d < p; Choose p prime, g, d < p; Compute y = g d mod p Compute y = g d mod p Public key: (y, g, p); private key: d Public key: (y, g, p); private key: d To sign contract m: To sign contract m:  Choose k relatively prime to p–1, and not yet used  Compute a = g k mod p  Find b such that m = (da + kb) mod p–1  Signature is (a, b) To validate, check that To validate, check that  y a a b mod p = g m mod p

INFSCI 2935: Introduction to Computer Security37 Example Alice chooses p = 29, g = 3, d = 6 Alice chooses p = 29, g = 3, d = 6 y = 3 6 mod 29 = 4 Alice wants to send Bob signed contract 23 Alice wants to send Bob signed contract 23  Chooses k = 5 (relatively prime to 28)  This gives a = g k mod p = 3 5 mod 29 = 11  Then solving 23 = (6  b) mod 28 gives b = 25  Alice sends message 23 and signature (11, 25) Bob verifies signature: g m mod p = 3 23 mod 29 = 8 and y a a b mod p = mod 29 = 8 Bob verifies signature: g m mod p = 3 23 mod 29 = 8 and y a a b mod p = mod 29 = 8  They match, so Alice signed

INFSCI 2935: Introduction to Computer Security38 Attack Eve learns k, corresponding message m, and signature (a, b) Eve learns k, corresponding message m, and signature (a, b)  Extended Euclidean Algorithm gives d, the private key Example from above: Eve learned Alice signed last message with k = 5 Example from above: Eve learned Alice signed last message with k = 5 m = (da + kb) mod p–1 = 23 =(11d + 5  25) mod 28 So Alice’s private key is d = 6

INFSCI 2935: Introduction to Computer Security39 Kerberos Authentication system Authentication system  Based on Needham-Schroeder with Denning-Sacco modification  Central server plays role of trusted third party (“Cathy”) Ticket (credential) Ticket (credential)  Issuer vouches for identity of requester of service Authenticator Authenticator  Identifies sender Alice must Alice must 1.Authenticate herself to the system 2.Obtain ticket to use server S

INFSCI 2935: Introduction to Computer Security40 Overview User u authenticates to Kerberos server User u authenticates to Kerberos server  Obtains ticket T u,TGS for ticket granting service (TGS) T u,TGS = TGS || { u || u’s address || valid time || k u,TGS } k TGS User u wants to use service s: User u wants to use service s:  User sends authenticator A u, ticket T u,TGS to TGS asking for ticket for service  TGS sends ticket T u,s to user  User sends A u, T u,s to server as request to use s Details follow Details follow

INFSCI 2935: Introduction to Computer Security41 Ticket Credential saying issuer has identified ticket requester Credential saying issuer has identified ticket requester Example ticket issued to user u for service s Example ticket issued to user u for service s T u,s = s || { u || u’s address || valid time || k u,s } k s where:  k u,s is session key for user and service  Valid time is interval for which the ticket is valid  u’s address may be IP address or something else Note: more fields, but not relevant here

INFSCI 2935: Introduction to Computer Security42 Authenticator Credential containing identity of sender of ticket Credential containing identity of sender of ticket  Used to confirm sender is entity to which ticket was issued Example: authenticator user u generates for service s Example: authenticator user u generates for service s A u,s = { u || generation time || k t } k u,s where:  k t is alternate session key  Generation time is when authenticator generated Note: more fields, not relevant here

INFSCI 2935: Introduction to Computer Security43 Protocol userAS user || TGS user AS { k u,TGS } k u || T u,TGS userTGS service || A u,TGS || T u,TGS userTGS user || { k u,s } k u,TGS || T u,s userservice A u,s || T u,s userservice { t + 1 } k u,s

INFSCI 2935: Introduction to Computer Security44 Analysis First two steps get user ticket to use TGS First two steps get user ticket to use TGS  User u can obtain session key only if u knows key shared with Cathy Next four steps show how u gets and uses ticket for service s Next four steps show how u gets and uses ticket for service s  Service s validates request by checking sender (using A u,s ) is same as entity ticket issued to  Step 6 optional; used when u requests confirmation

INFSCI 2935: Introduction to Computer Security45 Problems Relies on synchronized clocks Relies on synchronized clocks  If not synchronized and old tickets, authenticators not cached, replay is possible Tickets have some fixed fields Tickets have some fixed fields  Dictionary attacks possible  Kerberos 4 session keys weak (had much less than 56 bits of randomness); researchers at Purdue found them from tickets in minutes

INFSCI 2935: Introduction to Computer Security46 Project Implementation Implementation  Reasonable sophistication  Up to 3 people Survey type paper Survey type paper  Comparative/tradeoff studies  Current trends, challenges, possible approaches  One person!  Number of references should be adequate (depends on area)  No introductory stuff! New idea/research ?? New idea/research ?? Others: Case studies?? Others: Case studies??

INFSCI 2935: Introduction to Computer Security47 Project Topics (not limited to these only!)  XML security  Implementation of Access Control and Authentication  Cryptographic protocols  Database security  Ad hoc network security  Cyber Security  Privacy  Web service security / Java security  Intrusion detection  Auditing Systems  Security and ethics/Usability/Economics  Smartcards and standards for smartcards  E-commerce security (secure transaction)  Multimedia security  Security in wireless/mobile environments  Case studies from a specific domain

INFSCI 2935: Introduction to Computer Security48 Project Schedule Proposal (by Nov 18) Proposal (by Nov 18)  Up to 2 pages (identify a group)  State the goals  State the significance Final project report Final project report  By the last day of the semester  Article format, or conference format Each person should state his contribution  Implementation projects should demonstrate to TA and/or me

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.