Using Cryptography for Network Security Common problems: –Authentication - A and B want to prove their identities to one another –Key-distribution - A.

Slides:



Advertisements
Similar presentations
1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.
Advertisements

AUTHENTICATION AND KEY DISTRIBUTION
CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
CSC 474 Information Systems Security
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
Chap 3: Key exchange protocols In most systems, we distinguish the short term keys from the long term ones: –A short term key (session key) is used to.
Authenticated Key Exchange. Lecture Outline Example of how poor security design can cause problems Design Principles for building security protocols Key.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
More on AuthenticationCS-4513 D-term More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.
Overview Beyond basic cryptography:
EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
Slide 1 Vitaly Shmatikov CS 378 Key Establishment Pitfalls.
Chapter 9 Cryptographic Protocol Cryptography-Principles and Practice Harbin Institute of Technology School of Computer Science and Technology Zhijun Li.
Key Distribution CS 470 Introduction to Applied Cryptography
Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.
Diffie-Hellman Key Exchange
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Part Two Network Security Applications Chapter 4 Key Distribution and User Authentication.
Network and Communications Network Security Department of Computer Science Virginia Commonwealth University.
IT 221: Introduction to Information Security Principles Lecture 6:Digital Signatures and Authentication Protocols For Educational Purposes Only Revised:
Symmetric versus Asymmetric Cryptography. Why is it worth presenting cryptography? Top concern in security Fundamental knowledge in computer security.
Public-Key Cryptography CS110 Fall Conventional Encryption.
Chapter 3: Basic Protocols Dulal C. Kar. Key Exchange with Symmetric Cryptography Session key –A separate key for one particular communication session.
Network Security Lecture 23 Presented by: Dr. Munam Ali Shah.
Security protocols  Authentication protocols (this lecture)  Electronic voting protocols  Fair exchange protocols  Digital cash protocols.
Security protocols and their verification Mark Ryan University of Birmingham Midlands Graduate School University of Birmingham April 2005 Steve Kremer.
Using Cryptography for Network Security Common problems: –Authentication - A and B want to prove their identities to one another –Key-distribution - A.
Week 4 - Wednesday.  What did we talk about last time?  RSA algorithm.
Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.
Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.
1 Lecture 9: Cryptographic Authentication objectives and classification one-way –secret key –public key mutual –secret key –public key establishing session.
Lecture 16: Security CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9.
Digital Signatures, Message Digest and Authentication Week-9.
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
1 Needham-Schroeder A --> S: A,B, N A S --> A: {N A,B,K AB,{K AB,A} KBS } KAS A --> B:{K AB,A} KBS B --> A:{N B } KAB A --> B:{N B -1} KAB.
6 June Lecture 2 1 TU Dresden - Ws on Proof Theory and Computation Formal Methods for Security Protocols Catuscia Palamidessi Penn State University,
Authentication Issues and Solutions CSCI 5857: Encoding and Encryption.
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
A A E E D D C C B B # Symmetric Keys = n*(n-1)/2 F F
The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Authentication Protocols (I): Secure Handshake.
Key Management Network Systems Security Mort Anvari.
1 Authentication Protocols Rocky K. C. Chang 9 March 2007.
1 Authenticated Key Exchange Rocky K. C. Chang 20 March 2007.
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
Cryptography and Network Security Chapter 10 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Fall 2006CS 395: Computer Security1 Key Management.
1 Chapter 3-3 Key Distribution. 2 Key Management public-key encryption helps address key distribution problems have two aspects of this: –distribution.
SECURITY. Security Threats, Policies, and Mechanisms There are four types of security threats to consider 1. Interception 2 Interruption 3. Modification.
Pertemuan #8 Key Management Kuliah Pengaman Jaringan.
Dr. Nermi hamza.  A user may gain access to a particular workstation and pretend to be another user operating from that workstation.  A user may eavesdrop.
Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
CRYPTOGRAPHic Protocols and Diffie-Hellman-Merkle Key Exchange
IT IS 6200/8200.
Diffie/Hellman Key Exchange
AIT 682: Network and Systems Security
Key Exchange With Public Key Cryptography
Presentation transcript:

Using Cryptography for Network Security Common problems: –Authentication - A and B want to prove their identities to one another –Key-distribution - A and B want to agree on a session key that can be used to encrypt all subsequent communications Solution: cryptographic protocols Host A TCP/IP Internet Host B

Authentication Authentication is the process of proving your identity to someone else –One-way –Two-way Authentication protocols are often designed using a challenge and response mechanism –Authenticator creates a random challenge –Authenticatee proves identity by replying with the appropriate response

One-way Authentication Using Symmetric-Key Cryptography Assume that Alice and Bob share a secret symmetric key, K AB One-way authentication protocol: –Alice creates a nonce, N A, and sends it to Bob as a challenge –Bob encrypts Alice’s nonce with their secret key and returns the result, Encrypt(N A, K AB ), to Alice –Alice can decrypt Bob’s response and verify that the result is her nonce A: => B(N A ); B: => A(Encrypt(N A, K AB ));

One-way Authentication Using Symmetric-Key Cryptography Problem: an adversary, Mallory, might be able to impersonate Bob to Alice: –Alice sends challenge to Bob (intercepted by Mallory) –Mallory does not know K AB and thus cannot create the appropriate response –Mallory may be able to trick Bob (or Alice) into creating the appropriate response for her: A: => M(N A ); M: => B(N A ); B: => M(Encrypt(N A, K AB )); M: => A(Encrypt(N A, K AB ));

One-way Authentication Using Public-Key Cryptography Alice sends a nonce to Bob as a challenge Bob replies by encrypting the nonce with his private key Alice decrypts the response using Bob’s public key and verify that the result is her nonce A: => B(N A ); B: => A(Encrypt(N A, B Private )); Encrypting any message that someone sends as an authentication challenge might not be a good idea

One-way Authentication Using Public-Key Cryptography Another challenge-and-response authentication protocol: –Alice performs a computation based on some random numbers (chosen by Alice) and her private key and sends the result to Bob –Bob sends Alice a random number (chosen by Bob) –Alice makes some computation based on her private key, her random numbers, and the random number received from Bob and sends the result to Bob –Bob performs some computations on the various numbers and Alice’s public key to verify that Alice knows her private key Advantage: Alice never encrypts a message chosen by someone else

Authentication and Key-Exchange Protocols Combine authentication and key-exchange Assume Carla and Diane are on opposite ends of a network and want to talk securely –Want to agree on a new session key securely –Want to each be sure that they are talking to the other and not an intruder Wide-Mouth Frog –Assumes a trusted third-party, Sam, who shares a secret keys, K C and K D, respectively, with Carla and Diane

Authentication and Key-Exchange Protocols Wide-Mouth Frog C: => S (C,Encrypt((D,K CD,T C ),K CS )); S: => D (Encrypt((C, K CD, T S ), K DS )); Observations: –Reliance on synchronized clocks to generate timestamps –Depends on a third-party that both participants trust –Initiator is trusted to generate good session keys

Authentication and Key-Exchange Protocols Needham and Schroeder C => S: (C, D, N C ); S => C: (Encrypt((N C, B, K CD, Encrypt((C,K CD ),K D )),K C )); C => D: (Encrypt((C,K CD ),K D ); D => C: (Encrypt(N D, K CD )); C => D: (Encrypt(N D -1, K CD ));

Attacking the Protocol As seen previously: Carla and Diane set up a secure session protected by K CD Mallory, watches them do this and stores their messages Mallory cryptanalyzes the session and recovers K CD Mallory replays the old message containing K CD Mallory can fool Diane into thinking she is talking “securely” to Carla

Attacking the Protocol (cont) C => S: (C, D, N C ); S => C: (Encrypt((N C, B, K CD, Encrypt((C,K CD ),K D )),K C )); C => D: (Encrypt((C,K CD ),K D ); D => C: (Encrypt(N D, K CD )); C => D: (Encrypt(N D -1, K CD )); // Carla and Diane encrypt their messages using K CD // Mallory recovers K CD by analyzing the session C => S: (C, D, N C’ ); S => C: (Encrypt((N C’, B, K CD, Encrypt((C,K CD’ ),K D )),K C )); C => D: (Encrypt((C,K CD’ ),K D ); // Mallory intercepts the above message and replaces it M => D: (Encrypt((C,K CD ),K D ); D => M: (Encrypt(N D’, K CD )); M => D: (Encrypt(N D’ -1, K CD ));

Authentication and Key-Exchange Protocols Yahalom C => D (C,N C ); D => S (D,Encrypt((C,N C,N D ),K D )); S => C (Encrypt((D,K CD,N C,N D ),K C ),Encrypt((C,K CD ),K D )); C => D (Encrypt((C,K CD ),K D ),Encrypt(N D,K CD )); Note: Diane is the first one to contact Sam who only sends one message to Carla

Authentication and Key-Exchange Protocols Denning and Sacco (public-key) –Carla sends a message to Sam including her name and Diane’s name –Sam replies with signed copies of both Carla and Diane’s public key C: => S(C,D); S: => C(Encrypt((C,C Public,T S ),S Priavte ),Encrypt((D,D Public,T S ),S Priavte )); C: => D(Encrypt((C,C Public,T S ),S Priavte ),Encrypt((D,D Public,T S ),S Priavte )); –Carla generates the session key, K CD, and signed a message containing it and a timestamp with her private key C: => D(Encrypt(Encrypt((K CD,T C ),C Private ),D Public ));

Authentication and Key-Exchange Protocols A weakness of the Denning and Sacco protocol –Harry can trick Diane into thinking that she is communicating with Carla when she is really communicating with Harry –Harry establishes a session key, K CH, with Carla C: => H(Encrypt(Encrypt((K CH,T C ),C Private ),H Public )); –Harry decrypts Carla’s message and learns K CH –Harry encrypts Carla’s signed message with Diane’s public key, and sends the result to Diane claiming to be Carla H: => D(Encrypt(Encrypt((K CH,T C ),C Private ),D Public )); –Diane will decrypt the message, check the signature and timestamp, and believe that she is talking to Carla with K CH as the session key

Authentication and Key-Exchange Protocols Fixing the Denning and Sacco protocol: –Add the other party’s name to the key exchange message: C: => D(Encrypt(Encrypt((D,K CD,T C ),C Private ),D Public ));