CIS/TCOM 551 Computer and Network Security Slide Set 5 Carl A. Gunter Spring 2004.

Slides:



Advertisements
Similar presentations
Chapter 14 – Authentication Applications
Advertisements

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
CSE331: Introduction to Networks and Security Lecture 22 Fall 2002.
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
1 Distributed Computer Security: Authentication and Key Distribution Vijay Jain CSc 8320, Spring 2007.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Authentication & Kerberos
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
1 Chapter 13 – Digital Signatures & Authentication Protocols Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,
Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.
1 Authentication Applications Digital Signatures Security Concerns X.509 Authentication Service Kerberos Based on slides by Dr. Lawrie Brown of the Australian.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
SMUCSE 5349/73491 Authentication Protocols. SMUCSE 5349/73492 The Premise How do we use perfect cryptographic mechanisms (signatures, public-key and symmetric.
CSE331: Introduction to Networks and Security Lectures 26 & 27 Fall 2002.
Wireless Security In wireless networks. Security and Assurance - Goals Integrity Modified only in acceptable ways Modified only by authorized people Modified.
CSE331: Introduction to Networks and Security Lecture 23 Fall 2002.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
Cryptographic Technologies
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
CSE331: Introduction to Networks and Security Lecture 24 Fall 2002.
Computer Science CSC 774Dr. Peng Ning1 CSC 774 Advanced Network Security Topic 2. Review of Cryptographic Techniques.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Computer Science Public Key Management Lecture 5.
CS5204 – Fall Cryptographic Security Presenter: Hamid Al-Hamadi October 13, 2009.
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
Part Two Network Security Applications Chapter 4 Key Distribution and User Authentication.
Network Security. Security Threats 8Intercept 8Interrupt 8Modification 8Fabrication.
COEN 351 E-Commerce Security Essentials of Cryptography.
Cryptography, Authentication and Digital Signatures
CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.
Chapter 3: Basic Protocols Dulal C. Kar. Key Exchange with Symmetric Cryptography Session key –A separate key for one particular communication session.
Chapter 21 Distributed System Security Copyright © 2008.
Network Security Lecture 23 Presented by: Dr. Munam Ali Shah.
Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.
Using Cryptography for Network Security Common problems: –Authentication - A and B want to prove their identities to one another –Key-distribution - A.
Digital Signatures and Authentication Protocols Chapter 13.
Cryptography and Network Security Chapter 13 Fourth Edition by William Stallings.
Encryption Questions answered in this lecture: How does encryption provide privacy? How does encryption provide authentication? What is public key encryption?
Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.
Digital Signatures, Message Digest and Authentication Week-9.
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
X.509 Topics PGP S/MIME Kerberos. Directory Authentication Framework X.509 is part of the ISO X.500 directory standard. used by S/MIME, SSL, IPSec, and.
Authentication Issues and Solutions CSCI 5857: Encoding and Encryption.
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Kerberos Guilin Wang School of Computer Science 03 Dec
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Authentication Protocols (I): Secure Handshake.
COEN 351 E-Commerce Security
Network Security Continued. Digital Signature You want to sign a document. Three conditions. – 1. The receiver can verify the identity of the sender.
Authentication What you know? What you have? What you are?
User Authentication  fundamental security building block basis of access control & user accountability  is the process of verifying an identity claimed.
1 Authentication Protocols Rocky K. C. Chang 9 March 2007.
9.2 SECURE CHANNELS JEJI RAMCHAND VEDULLAPALLI. Content Introduction Authentication Message Integrity and Confidentiality Secure Group Communications.
Pertemuan #8 Key Management Kuliah Pengaman Jaringan.
Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.
Department of Computer Science Chapter 5 Introduction to Cryptography Semester 1.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
1 Authentication Celia Li Computer Science and Engineering York University.
Fourth Edition by William Stallings Lecture slides by Lawrie Brown
Security Handshake Pitfalls. Client Server Hello (K)
Computer Communication & Networks
Presented by: Dr. Munam Ali Shah
پروتكلهاي احرازاصالت Authentication protocols
Network Security – Kerberos
Presentation transcript:

CIS/TCOM 551 Computer and Network Security Slide Set 5 Carl A. Gunter Spring 2004

Protocols l Overview l Entity Authentication l Key Establishment

General Definition of “Protocol” l A protocol is a multi-party algorithm, defined by a sequence of steps precisely specifying the actions required of two or more parties in order to achieve a specified objective.

Arbitrated Protocols

Adjudicated Protocols

Self-Enforcing Protocols

Protocol Sample Threat l Common strategy.  Encrypt for confidentiality.  Sign for integrity. l Is it better to sign then encrypt? l Or is it better to encrypt then sign? l There is a pitfall.

Messages l P -> R : ER(M, DP(M))  R decodes with DR  Verifies with EP:  EP(DP(M)) = M ? l P -> R : ER(M), DP(ER(M))  R decodes with DR  Verifies with EP:  EP(DP(ER(M))) = ER(M) ?

Pitfall l Interception Scenario  P -> O (R) : ER(M), DP(ER(M))  O -> R : ER(M), DO(ER(M)) l R might think that M came from O. l Is this really a problem? l To be safe: sign then encrypt.

Foundations of Authentication l Authentication is based on one or more of the following:  Something you know.  Something you have.  Something inherent about you.

Entity Authentication l Aims and Threats l Weak Security: Passwords l Strong Security: Challenge-Response

Typical Setup ClaimantVerifier Userid: Password: Identification Authentication Terminology: identification will be used to refer to the combination of claimed identity and its authentication.

Aim l For honest parties, the claimant A is able to authenticate itself to the verifier B. That is, B will complete the protocol having accepted A’s identity.

Threats l Transferability: B cannot reuse an identification exchange with A to successfully impersonate A to a third party C. l Impersonation: The probability is negligible that a party C distinct from A can carry out the protocol in the role of A and cause B to accept it as having A’s identity.

Assumptions l A large number of previous authentications between A and B may have been observed. l The adversary C has participated in previous protocol executions with A and/or B. l Multiple instances of the protocol, possibly instantiated by C, may be run simultaneously.

Attacks Not Addressed l Identification affirms that communication with the expected party occurred at a given point in time. l Two active attacks are not addressed:  Usurpation: The session beginning with the identification is “usurped” by the attacker as a man-in-the-middle.  Grand Master Postal Attack Problem: A man-in-the-middle relays messages between two parties without changing them.

Unix Passwords l Humans need memorable keys, care must be taken to use these keys properly. l Password Security: A Case History, Robert Morris and Ken Thompson, CACM v22(1979),

Make a File of Passwords l At first Unix was implemented with a password file holding the actual passwords of users. l This was vulnerable to many lapses  Copies were made by privileged users  Copies were made by bugs: classic example posted password file on daily message file  Physical access to backup was a vulnerability  Information from the password file needed to be replicated into many other files

First Approach l Encrypt the passwords and keep the encrypted version. l Take the password from the user, encrypt it, and compare with password file entry. l Problems  poor user selection of passwords  online dictionary attack l On a PDP-11/70 it was possible to compute the encryptions of all passwords using 6 lower-case letters in about 107 hours.

Heuristics for Guessing l The dictionary with the words spelled backwards l A list of first names (best obtained from some mailing list). Last names, street names, and city names also work well. l The above with initial upper-case letters. l All valid license plate numbers in your state. (About 5 hours work in 1979 for New Jersey.) l Room numbers, social security numbers, telephone numbers, and the like.

A Survey of 3,289 Passwords l With no constraints on choice of password, Morris and Thompson got the following results:  15 were a single ASCII letter.  72 were strings of two ASCII letters.  464 were strings of three ASCII letters.  47 were strings of four alphanumerics.  706 were five letters, all upper-case or all lower-case.  605 were six letters, all lower case.

Risk in Password Restrictions l An installation required users to accept a machine-selected password. l These were 8 characters long (lower case and digits) and generated from a pseudorandom number generator. l There were only 2**15 starting values (seeds). l Time to search strings of length 8 required 112 years (on machines of the time). l Time to check 2**15 seeds, not long!

Improvements to First Approach l Slower encryption: use password to create a key, then encrypt a constant using 25 iterations of the DES algorithm. l Enforce password rules. l “Mess up” DES: change algorithm so that stock hardware cannot be used.

Slowing Dictionary Attacks l “Salt” the passwords by adding random bits.  Makes dictionary attacks more expensive.  Decreases the likelihood that two identical passwords will appear as identical entries in the password file. l 12 bit salt results in 4,096 versions of each password.

Classic Unix Crypt – part 1 l Supplied by the user: a password P, truncated to 8 characters by the system. l Held by the system: a 77 bit value consisting of a 12 bit salt S and cryptographic hash derived as follows. l Pad password with zeros if necessary to get 56 bit key K.

Classic Unix Crypt – part 2 l Create a modified DES with expansion permutations (32 to 48 bits) determined by S. l Use K as a DES key to encrypt a 64 bit block of zeros, running the encryption 25 times. l This yields a 64 bit ciphertext. Add the 12 bit salt and represent this as 11 7-bit characters.

One Time Passwords l Shared lists. l Sequentially updated. l One-time password sequences based on a one-way function.

Hash-based 1-time Passwords l A claimant identifies itself to verifier B using a one-way hash function H. l One-time setup.  A chooses a secret w.  Fixes a constant t for the number of times the verification can be done.  A securely transfers H**t(w) to B. l Protocol messages. For the i’th identification where 1 <=i <= t:  A -> B: A, i, H**(t-i)(w)

Hash-based 1-time Passwords l Protocol actions. For session i, claimant A does the following to identify itself:  A computes w’ = H**(t-i)(w) and transmits the value to B.  B checks that i is the correct session (ie. that the previous session was i-1) and checks to see if H(v) = w’ where v was the last value provided by A (as part of session i-1).  B saves w’ and i for use in the next session.

Challenge-Response l Background.  Random numbers (nonces).  Sequence numbers.  Timestamps. l Symmetric keys.  With timestamps or random numbers. l MAC’s. l Asymmetric keys.  With encryption or signature.

Replay l Replay is the treat in which a transmission is observed by an eavesdropper who subsequently reuses it as part of a protocol, possibly to impersonate the original sender. l Example: monitor the first part of a telnet session to obtain a sequence of transmissions sufficient to get a log-in. l There are 3 general strategies for defeating replay attacks: nonces, timestamps, and sequence numbers.

Random Numbers l A random number is a number chosen unpredictably in a range. l In a challenge-response protocol they are used as follows.  The verifier chooses a (new) random number and provides it to the claimant.  The claimant performs an operation on it showing knowledge of a secret.  This information is bound inseparably to the random number and returned to the verifier for examination.  A timeout period is used to ensure “freshness”.

Sequence Numbers l Sequence numbers provide a sequential or monotonic counter on messages. l If a message is replayed and the original message was received, the replay will have an old or too-small sequence number and be discarded. l Cannot detect forced delay. l Difficult to maintain when there are system failures.

Time Stamps l The claimant sends a message with a timestamp. l The verifier checks that it falls within an acceptance window of time. l The last timestamp received is held, and identification requests with older timestamps are ignored. l Good only if clock synchronization is close enough for acceptance window.

Unilateral Symmetric Key l Unilateral authentication with timestamp generated by A.  A -> B : E(K, (t, B)) l Unilateral authentication with random number generated by B.  B -> A : r  A -> B : E(K, (r, B))

Mutual Symmetric Key l Using random numbers:  B -> A: rB  A -> B: E(K, (rA, rB, B))  B -> A: E(K, (rB, rA))

Mutual MAC Function l Let H be a hash function and K be a shared secret between A and B.  B -> A: rB  A -> B: rA, H(K, (rA, rB, B))  B -> A: H(K, (rB, rA, A))

Passkey Systems F S PIN A Display Claimant AVerifier B e y Challenge Generator Login Request Passcode Generator F Secret Database Compare (challenge) (response) PIN S

Unilateral Public Key Decryption l Encryption under A’s public key is EA:  B -> A : H(r), B, EA(r, B)  A -> B : r l The witness H(r) shows knowledge of r and prevents chosen plaintext attacks on EA.

Mutual Public Key Decryption l Let EA and EB be the encryption functions for the public keys of A and B respectively.  A -> B: EB(rA, A)  B -> A: EA(rA, rB)  A -> B: rB

Unilateral Digital Signatures l Let SA and SB be the signature functions of A and B respectively. l Unilateral authentication with timestamps:  A -> B: t, B, SA(t, B) l Unilateral authentication with random numbers:  B -> A: rB  A -> B: rA, B, SA(rA, rB, B)  The rA prevents chosen plaintext attacks.

Mutual Digital Signatures l Using random numbers.  B -> A: rB  A -> B: rA, B, SA(rA, rB, B)  B -> A: A, SB(rB, rA, A)

Primary Attacks l Impersonation. l Replay. l Interleaving. l Reflection. l Forced delay. l Chosen plaintext.

Primary Controls l Replay: use of challenge-response techniques and embedding target identity in response. l Interleaving: link messages in a run with chained nonces. l Reflection: embed identifier of target party in challenge response, use asymmetric message formats, use uni- directional keys.

Primary Controls, continued l Chosen text: embed self-chosen random numbers (“confounders”) in responses, use “zero knowledge” techniques. l Forced delays: use random numbers with short timeouts, use timestamps with other techniques.

Multiple Use of Keys l There are risks in using keys for multiple purposes. l Using an RSA key for both entity authentication and signatures may allow a chosen-text attack. l B attacker/verifier, rB=H(M) for some message M.  B -> A: rB  A -> B: B, SA(rB)  B(A) -> C: M, SA(H(M)) B, pretending to be A

Effective Control l Notice how the protocol described earlier foils this. Here’s the protocol:  B -> A: rB  A -> B: rA, B, SA(rA, rB, B) l Here’s what happens:  B -> A: rB  A -> B: rA, B, SA(rA, rB, B)  B(A) -> C: M, SA(rA, H(M), B)  C finds that SA(rA, H(M), B)  SA(H(M)) and rejects the signature.

Usurpation Attacks l Identification protocols provide assurances corroborating the identity of an entity only at a given instant in time. l Techniques to assure ongoing authenticity:  Periodic re-identification.  Tying identification to an ongoing integrity service. For example: key establishment and encryption.

Key Establishment l Symmetric keys.  Point-to-Point.  Needham-Schroeder.  Kerberos. l Asymmetric keys.  X.509 key establishment.  Attack example.  Station To Station (STS) protocol.  Bellovin-Merritt protocol.

Symmetric Keys l Key establishment using only symmetric keys requires use of pre-distribution keys to get things going. l These can be based on:  Point to point distribution, or  Key Distribution Center (KDC).

Point-to-Point l Timestamp.  A -> B : E(K, (k, t, B)) l Nonce.  B -> A : r  A -> B : E(K, (k, r, B)) Session Key ISO/IEC

Key Distribution Center

Distribution Center Setup l A wishes to communicate with B. l T is a trusted third party that provides session keys. l T has a key KAT in common with A and a key KBT in common with B. l A authenticates T using a nonce rA and obtains a session key from T. l A authenticates to B and transports the session key securely.

Needham-Schroeder 1. A -> T : A, B, rA 2. T -> A : E( KAT, (k, rA, B, E( KBT, (k, A)) )) A decrypts with KAT and checks rA and B. Holds k for future correspondence with B. 3. A -> B : E( KBT, (k, A)) B decrypts with KBT. 4. B -> A : E(k, rB) A decrypts with k. 5. A -> B : E(k, rB – 1) B checks rB-1.

Attack Scenario 1 1. A -> T : A, B, rA 2. T -> C (A) : E( KAT, (k, rA, B, E( KBT, (k, A)) )) C is unable to decrypt the message to A; passing it along unchanged does no harm. Any change will be detected by A.

Attack Scenario 2 1. A -> C (T) : A, B, rA 2. C (A) -> T : A, C, rA 3. T -> A : E( KAT, (k, rA, C, E( KCT, (k, A)) )) Rejected by A because C rather than B.

Attack Scenario 3 1. A -> C (T) : A, B, rA 2. C -> T : C, B, rA 3. T -> C : E( KCT, (k, rA, B, E( KBT, (k, C)) )) 4. C (T) -> A : E( KCT, (k, rA, B, E( KBT, (k, C)) )) A is unable to decrypt the message.

Attack Scenario 4 1. C -> T : C, B, rA 2. T -> C : E( KCT, (k, rA, B, E( KBT, (k, C)) )) 3. C (A) -> B : E( KBT, (k, C)) B will see that the purported origin (A) does not match the identity indicated by the distribution center.

Kerberos Setup l A,T,B, shared keys KAT, KBT as in distribution center. l Nonce rA generated by A. l Trusted synchronous clocks for generating a time t and checking expiration of a lifetime L.

Kerberos Messages 1. A -> T : A, B, rA 2. T -> A : E( KBT, (k, A, L)), E( KAT, (k, rA, L, B)) 3. A -> B : E( KBT, (k, A, L)), E( k, (A, t)) 4. B -> A : E(k, t) Ticket Authenticator

Kerberos Actions 1. A -> T : A, B, rA 2. T -> A : E( KBT, (k, A, L)), E( KAT, (k, rA, L, B)) Decrypt using KAT, check rA, B, and hold L for future reference. 3. A -> B : E( KBT, (k, A, L)), E( k, (A, t)) Decrypt the ticket using KBT to get the session key and lifetime. Use the session key to decrypt the authenticator. Check A, t, L. 4. B -> A : E(k, t) Check t.

Asymmetric Key Exchange l X.509 key establishment. l Impersonation case study. l STS. l Bellovin-Merritt protocol.

X.509 Key Establishment Setup l X.509 is part of the X.500 series of ISO/IEC standards. l certA and certB are certificates for the public keys of A and B. l A has encryption function EA and signature function SA. B has signature function SB. l rA and rB are nonces. l LA and LB are lifetimes (validity periods).

X.509 Key Est. Messages l Let DA = EB(k), rA, LA, A. l Let DB = rB, LB, rA, A l Two messages: 1.A -> B : certA, DA, SA(DA) Check that the nonce rA has not been seen, and is not expired according to LA. Remember it for its lifetime LA. 2.B -> A : certB, DB, SB(DB) Check the rA and A. Check that rB has not been seen and is not expired according to LB.

X.509 Variant l X.509 supports several variants on the previously-described protocol. l Let DA = EB(kA), rA, LA, A. l Let DB = EA(kB), rB, LB, rA, A l Two messages: 1.A -> B : certA, DA, SA(DA) 2.B -> A : certB, DB, SB(DB) Both A and B compute a session key f(kA, kB) as a function of subkeys supplied by A and B.

Impersonation Case Study

Protocol X 1. A -> T : A, B 2. T -> A : ST(EB, B) 3. A -> B : EB(kA, A) 4. B -> T : B, A 5. T -> B : ST(EA, A) 6. B -> A : EA(kA, kB)  Check kA. Calculate session key as f(kA,kB). 7. A -> B : EB(kB)  Check kB. Calculate session key as f(kA,kB).

Interleaving Attack on Protocol X l An interleaving attack on this protocol is possible. l An adversary C convinces:  A that he is talking to C using session key k = f(kA, kB).  B that his is talking to A using session key k. l C has access to the key k and can use it to decrypt the responses that B makes to A.

Compromise Scenario l B, C are taxpayers. A is the IRS. l A contacts C, (presumably) authenticates and sets up a session key k. C uses the interleaving attack with B. l B now thinks he is talking to the IRS. l C answers questions directed to him by the IRS. l Meanwhile C, pretending to be IRS, asks B for information about his income for the last 5 years.

What Went Wrong? l Entity authentication: determining who you are talking to. l Key establishment: settling on a shared session key. l Protocol X admits an interleaving attack that allows an adversary to exploit entity authentication and then step in to exploit key establishment.

Station-To-Station Protocol l Provides key confirmation and mutual authentication without revealing the identities of the participants to other parties. l Based on:  Diffie-Hellman.  Digital signatures using public key pairs.  Symmetric encryption.

Station-To-Station Setup l q prime with primitive root  where 1<  < q-1. q and  are agreed upon by A and B. l XA is the private key of A where 1 <= XA < q. The public key of A is YA =  **XA mod q. l XB is the private key of B where 1 <= XB < q. The public key of B is YB =  **XB mod q. l k =  **(XA * XB) is the session key.

STS Messages 1. A -> B : YA Calculate k. 2. B –> A : YB, E(k, SB(YB, YA)) Calculate k, use it to decrypt the signature, check the signature using the verification function of B and known values YB, YA. 3. A -> B : E(k, SA(YA, YB)) Decrypt the signature and check it using the verification function of A.

Passwords as Keys l Humans are not good at remembering 56 bit keys. l Solution: use passwords as keys. l Setup: P is a password known to both A and B. EA is a public key for A. l Simple protocol:  A -> B : E(P, K)  B -> A : E(K, “Terminal type:”)

Simple Protocol Vulnerability l Use a dictionary attack on the password. l This protocol enables an offline attack. l Let P* be a word in a dictionary of likely passwords. l Compute:  D(P*, E(P,K)) = K*  D(K*, E(K, “Terminal type:”)) = S  If S makes sense, then P* = P.

Countermeasure l The server supplies the session key, encrypted under the public key of A. l Guessing P only reveals EA(K), which is not useful in attacking the last message. 1. A -> B : E(P, EA) 2. B -> A : E(P, EA(K)) 3. B -> A : E(K, “Terminal type:”)

Bellovin-Merritt Protocol l A -> B : A, E(P, EA) l B -> A : E(P, EA(K)) l A -> B : E(K, rA) l B -> A : E(K, (rA, rB)) l A -> B : E(K, rB)