CIS/TCOM 551 Computer and Network Security Slide Set 5 Carl A. Gunter Spring 2004

Protocols l Overview l Entity Authentication l Key Establishment

General Definition of “Protocol” l A protocol is a multi-party algorithm, defined by a sequence of steps precisely specifying the actions required of two or more parties in order to achieve a specified objective.

Arbitrated Protocols

Adjudicated Protocols

Self-Enforcing Protocols

Protocol Sample Threat l Common strategy.  Encrypt for confidentiality.  Sign for integrity. l Is it better to sign then encrypt? l Or is it better to encrypt then sign? l There is a pitfall.

Messages l P -> R : ER(M, DP(M))  R decodes with DR  Verifies with EP:  EP(DP(M)) = M ? l P -> R : ER(M), DP(ER(M))  R decodes with DR  Verifies with EP:  EP(DP(ER(M))) = ER(M) ?

Pitfall l Interception Scenario  P -> O (R) : ER(M), DP(ER(M))  O -> R : ER(M), DO(ER(M)) l R might think that M came from O. l Is this really a problem? l To be safe: sign then encrypt.

Foundations of Authentication l Authentication is based on one or more of the following:  Something you know.  Something you have.  Something inherent about you.

Entity Authentication l Aims and Threats l Weak Security: Passwords l Strong Security: Challenge-Response

Typical Setup ClaimantVerifier Userid: Password: Identification Authentication Terminology: identification will be used to refer to the combination of claimed identity and its authentication.

Aim l For honest parties, the claimant A is able to authenticate itself to the verifier B. That is, B will complete the protocol having accepted A’s identity.

Threats l Transferability: B cannot reuse an identification exchange with A to successfully impersonate A to a third party C. l Impersonation: The probability is negligible that a party C distinct from A can carry out the protocol in the role of A and cause B to accept it as having A’s identity.

Assumptions l A large number of previous authentications between A and B may have been observed. l The adversary C has participated in previous protocol executions with A and/or B. l Multiple instances of the protocol, possibly instantiated by C, may be run simultaneously.

Attacks Not Addressed l Identification affirms that communication with the expected party occurred at a given point in time. l Two active attacks are not addressed:  Usurpation: The session beginning with the identification is “usurped” by the attacker as a man-in-the-middle.  Grand Master Postal Attack Problem: A man-in-the-middle relays messages between two parties without changing them.

Unix Passwords l Humans need memorable keys, care must be taken to use these keys properly. l Password Security: A Case History, Robert Morris and Ken Thompson, CACM v22(1979),

Make a File of Passwords l At first Unix was implemented with a password file holding the actual passwords of users. l This was vulnerable to many lapses  Copies were made by privileged users  Copies were made by bugs: classic example posted password file on daily message file  Physical access to backup was a vulnerability  Information from the password file needed to be replicated into many other files

First Approach l Encrypt the passwords and keep the encrypted version. l Take the password from the user, encrypt it, and compare with password file entry. l Problems  poor user selection of passwords  online dictionary attack l On a PDP-11/70 it was possible to compute the encryptions of all passwords using 6 lower-case letters in about 107 hours.

Heuristics for Guessing l The dictionary with the words spelled backwards l A list of first names (best obtained from some mailing list). Last names, street names, and city names also work well. l The above with initial upper-case letters. l All valid license plate numbers in your state. (About 5 hours work in 1979 for New Jersey.) l Room numbers, social security numbers, telephone numbers, and the like.

A Survey of 3,289 Passwords l With no constraints on choice of password, Morris and Thompson got the following results:  15 were a single ASCII letter.  72 were strings of two ASCII letters.  464 were strings of three ASCII letters.  47 were strings of four alphanumerics.  706 were five letters, all upper-case or all lower-case.  605 were six letters, all lower case.

Risk in Password Restrictions l An installation required users to accept a machine-selected password. l These were 8 characters long (lower case and digits) and generated from a pseudorandom number generator. l There were only 2**15 starting values (seeds). l Time to search strings of length 8 required 112 years (on machines of the time). l Time to check 2**15 seeds, not long!

Improvements to First Approach l Slower encryption: use password to create a key, then encrypt a constant using 25 iterations of the DES algorithm. l Enforce password rules. l “Mess up” DES: change algorithm so that stock hardware cannot be used.

Slowing Dictionary Attacks l “Salt” the passwords by adding random bits.  Makes dictionary attacks more expensive.  Decreases the likelihood that two identical passwords will appear as identical entries in the password file. l 12 bit salt results in 4,096 versions of each password.

Classic Unix Crypt – part 1 l Supplied by the user: a password P, truncated to 8 characters by the system. l Held by the system: a 77 bit value consisting of a 12 bit salt S and cryptographic hash derived as follows. l Pad password with zeros if necessary to get 56 bit key K.

Classic Unix Crypt – part 2 l Create a modified DES with expansion permutations (32 to 48 bits) determined by S. l Use K as a DES key to encrypt a 64 bit block of zeros, running the encryption 25 times. l This yields a 64 bit ciphertext. Add the 12 bit salt and represent this as 11 7-bit characters.

One Time Passwords l Shared lists. l Sequentially updated. l One-time password sequences based on a one-way function.

Hash-based 1-time Passwords l A claimant identifies itself to verifier B using a one-way hash function H. l One-time setup.  A chooses a secret w.  Fixes a constant t for the number of times the verification can be done.  A securely transfers H**t(w) to B. l Protocol messages. For the i’th identification where 1 <=i <= t:  A -> B: A, i, H**(t-i)(w)

Hash-based 1-time Passwords l Protocol actions. For session i, claimant A does the following to identify itself:  A computes w’ = H**(t-i)(w) and transmits the value to B.  B checks that i is the correct session (ie. that the previous session was i-1) and checks to see if H(v) = w’ where v was the last value provided by A (as part of session i-1).  B saves w’ and i for use in the next session.

Challenge-Response l Background.  Random numbers (nonces).  Sequence numbers.  Timestamps. l Symmetric keys.  With timestamps or random numbers. l MAC’s. l Asymmetric keys.  With encryption or signature.

Replay l Replay is the treat in which a transmission is observed by an eavesdropper who subsequently reuses it as part of a protocol, possibly to impersonate the original sender. l Example: monitor the first part of a telnet session to obtain a sequence of transmissions sufficient to get a log-in. l There are 3 general strategies for defeating replay attacks: nonces, timestamps, and sequence numbers.

Random Numbers l A random number is a number chosen unpredictably in a range. l In a challenge-response protocol they are used as follows.  The verifier chooses a (new) random number and provides it to the claimant.  The claimant performs an operation on it showing knowledge of a secret.  This information is bound inseparably to the random number and returned to the verifier for examination.  A timeout period is used to ensure “freshness”.

Sequence Numbers l Sequence numbers provide a sequential or monotonic counter on messages. l If a message is replayed and the original message was received, the replay will have an old or too-small sequence number and be discarded. l Cannot detect forced delay. l Difficult to maintain when there are system failures.

Time Stamps l The claimant sends a message with a timestamp. l The verifier checks that it falls within an acceptance window of time. l The last timestamp received is held, and identification requests with older timestamps are ignored. l Good only if clock synchronization is close enough for acceptance window.

Unilateral Symmetric Key l Unilateral authentication with timestamp generated by A.  A -> B : E(K, (t, B)) l Unilateral authentication with random number generated by B.  B -> A : r  A -> B : E(K, (r, B))

Mutual Symmetric Key l Using random numbers:  B -> A: rB  A -> B: E(K, (rA, rB, B))  B -> A: E(K, (rB, rA))

Mutual MAC Function l Let H be a hash function and K be a shared secret between A and B.  B -> A: rB  A -> B: rA, H(K, (rA, rB, B))  B -> A: H(K, (rB, rA, A))

Passkey Systems F S PIN A Display Claimant AVerifier B e y Challenge Generator Login Request Passcode Generator F Secret Database Compare (challenge) (response) PIN S

Unilateral Public Key Decryption l Encryption under A’s public key is EA:  B -> A : H(r), B, EA(r, B)  A -> B : r l The witness H(r) shows knowledge of r and prevents chosen plaintext attacks on EA.

Mutual Public Key Decryption l Let EA and EB be the encryption functions for the public keys of A and B respectively.  A -> B: EB(rA, A)  B -> A: EA(rA, rB)  A -> B: rB

Unilateral Digital Signatures l Let SA and SB be the signature functions of A and B respectively. l Unilateral authentication with timestamps:  A -> B: t, B, SA(t, B) l Unilateral authentication with random numbers:  B -> A: rB  A -> B: rA, B, SA(rA, rB, B)  The rA prevents chosen plaintext attacks.

Mutual Digital Signatures l Using random numbers.  B -> A: rB  A -> B: rA, B, SA(rA, rB, B)  B -> A: A, SB(rB, rA, A)

Primary Attacks l Impersonation. l Replay. l Interleaving. l Reflection. l Forced delay. l Chosen plaintext.

Primary Controls l Replay: use of challenge-response techniques and embedding target identity in response. l Interleaving: link messages in a run with chained nonces. l Reflection: embed identifier of target party in challenge response, use asymmetric message formats, use uni- directional keys.

Primary Controls, continued l Chosen text: embed self-chosen random numbers (“confounders”) in responses, use “zero knowledge” techniques. l Forced delays: use random numbers with short timeouts, use timestamps with other techniques.

Multiple Use of Keys l There are risks in using keys for multiple purposes. l Using an RSA key for both entity authentication and signatures may allow a chosen-text attack. l B attacker/verifier, rB=H(M) for some message M.  B -> A: rB  A -> B: B, SA(rB)  B(A) -> C: M, SA(H(M)) B, pretending to be A

Effective Control l Notice how the protocol described earlier foils this. Here’s the protocol:  B -> A: rB  A -> B: rA, B, SA(rA, rB, B) l Here’s what happens:  B -> A: rB  A -> B: rA, B, SA(rA, rB, B)  B(A) -> C: M, SA(rA, H(M), B)  C finds that SA(rA, H(M), B)  SA(H(M)) and rejects the signature.

Usurpation Attacks l Identification protocols provide assurances corroborating the identity of an entity only at a given instant in time. l Techniques to assure ongoing authenticity:  Periodic re-identification.  Tying identification to an ongoing integrity service. For example: key establishment and encryption.

Key Establishment l Symmetric keys.  Point-to-Point.  Needham-Schroeder.  Kerberos. l Asymmetric keys.  X.509 key establishment.  Attack example.  Station To Station (STS) protocol.  Bellovin-Merritt protocol.

Symmetric Keys l Key establishment using only symmetric keys requires use of pre-distribution keys to get things going. l These can be based on:  Point to point distribution, or  Key Distribution Center (KDC).

Point-to-Point l Timestamp.  A -> B : E(K, (k, t, B)) l Nonce.  B -> A : r  A -> B : E(K, (k, r, B)) Session Key ISO/IEC

Key Distribution Center

Distribution Center Setup l A wishes to communicate with B. l T is a trusted third party that provides session keys. l T has a key KAT in common with A and a key KBT in common with B. l A authenticates T using a nonce rA and obtains a session key from T. l A authenticates to B and transports the session key securely.

Needham-Schroeder 1. A -> T : A, B, rA 2. T -> A : E( KAT, (k, rA, B, E( KBT, (k, A)) )) A decrypts with KAT and checks rA and B. Holds k for future correspondence with B. 3. A -> B : E( KBT, (k, A)) B decrypts with KBT. 4. B -> A : E(k, rB) A decrypts with k. 5. A -> B : E(k, rB – 1) B checks rB-1.

Attack Scenario 1 1. A -> T : A, B, rA 2. T -> C (A) : E( KAT, (k, rA, B, E( KBT, (k, A)) )) C is unable to decrypt the message to A; passing it along unchanged does no harm. Any change will be detected by A.

Attack Scenario 2 1. A -> C (T) : A, B, rA 2. C (A) -> T : A, C, rA 3. T -> A : E( KAT, (k, rA, C, E( KCT, (k, A)) )) Rejected by A because C rather than B.

Attack Scenario 3 1. A -> C (T) : A, B, rA 2. C -> T : C, B, rA 3. T -> C : E( KCT, (k, rA, B, E( KBT, (k, C)) )) 4. C (T) -> A : E( KCT, (k, rA, B, E( KBT, (k, C)) )) A is unable to decrypt the message.

Attack Scenario 4 1. C -> T : C, B, rA 2. T -> C : E( KCT, (k, rA, B, E( KBT, (k, C)) )) 3. C (A) -> B : E( KBT, (k, C)) B will see that the purported origin (A) does not match the identity indicated by the distribution center.

Kerberos Setup l A,T,B, shared keys KAT, KBT as in distribution center. l Nonce rA generated by A. l Trusted synchronous clocks for generating a time t and checking expiration of a lifetime L.

Kerberos Messages 1. A -> T : A, B, rA 2. T -> A : E( KBT, (k, A, L)), E( KAT, (k, rA, L, B)) 3. A -> B : E( KBT, (k, A, L)), E( k, (A, t)) 4. B -> A : E(k, t) Ticket Authenticator

Kerberos Actions 1. A -> T : A, B, rA 2. T -> A : E( KBT, (k, A, L)), E( KAT, (k, rA, L, B)) Decrypt using KAT, check rA, B, and hold L for future reference. 3. A -> B : E( KBT, (k, A, L)), E( k, (A, t)) Decrypt the ticket using KBT to get the session key and lifetime. Use the session key to decrypt the authenticator. Check A, t, L. 4. B -> A : E(k, t) Check t.

Asymmetric Key Exchange l X.509 key establishment. l Impersonation case study. l STS. l Bellovin-Merritt protocol.

X.509 Key Establishment Setup l X.509 is part of the X.500 series of ISO/IEC standards. l certA and certB are certificates for the public keys of A and B. l A has encryption function EA and signature function SA. B has signature function SB. l rA and rB are nonces. l LA and LB are lifetimes (validity periods).

X.509 Key Est. Messages l Let DA = EB(k), rA, LA, A. l Let DB = rB, LB, rA, A l Two messages: 1.A -> B : certA, DA, SA(DA) Check that the nonce rA has not been seen, and is not expired according to LA. Remember it for its lifetime LA. 2.B -> A : certB, DB, SB(DB) Check the rA and A. Check that rB has not been seen and is not expired according to LB.

X.509 Variant l X.509 supports several variants on the previously-described protocol. l Let DA = EB(kA), rA, LA, A. l Let DB = EA(kB), rB, LB, rA, A l Two messages: 1.A -> B : certA, DA, SA(DA) 2.B -> A : certB, DB, SB(DB) Both A and B compute a session key f(kA, kB) as a function of subkeys supplied by A and B.

Impersonation Case Study

Protocol X 1. A -> T : A, B 2. T -> A : ST(EB, B) 3. A -> B : EB(kA, A) 4. B -> T : B, A 5. T -> B : ST(EA, A) 6. B -> A : EA(kA, kB)  Check kA. Calculate session key as f(kA,kB). 7. A -> B : EB(kB)  Check kB. Calculate session key as f(kA,kB).

Interleaving Attack on Protocol X l An interleaving attack on this protocol is possible. l An adversary C convinces:  A that he is talking to C using session key k = f(kA, kB).  B that his is talking to A using session key k. l C has access to the key k and can use it to decrypt the responses that B makes to A.

Compromise Scenario l B, C are taxpayers. A is the IRS. l A contacts C, (presumably) authenticates and sets up a session key k. C uses the interleaving attack with B. l B now thinks he is talking to the IRS. l C answers questions directed to him by the IRS. l Meanwhile C, pretending to be IRS, asks B for information about his income for the last 5 years.

What Went Wrong? l Entity authentication: determining who you are talking to. l Key establishment: settling on a shared session key. l Protocol X admits an interleaving attack that allows an adversary to exploit entity authentication and then step in to exploit key establishment.

Station-To-Station Protocol l Provides key confirmation and mutual authentication without revealing the identities of the participants to other parties. l Based on:  Diffie-Hellman.  Digital signatures using public key pairs.  Symmetric encryption.

Station-To-Station Setup l q prime with primitive root  where 1<  < q-1. q and  are agreed upon by A and B. l XA is the private key of A where 1 <= XA < q. The public key of A is YA =  **XA mod q. l XB is the private key of B where 1 <= XB < q. The public key of B is YB =  **XB mod q. l k =  **(XA * XB) is the session key.

STS Messages 1. A -> B : YA Calculate k. 2. B –> A : YB, E(k, SB(YB, YA)) Calculate k, use it to decrypt the signature, check the signature using the verification function of B and known values YB, YA. 3. A -> B : E(k, SA(YA, YB)) Decrypt the signature and check it using the verification function of A.

Passwords as Keys l Humans are not good at remembering 56 bit keys. l Solution: use passwords as keys. l Setup: P is a password known to both A and B. EA is a public key for A. l Simple protocol:  A -> B : E(P, K)  B -> A : E(K, “Terminal type:”)

Simple Protocol Vulnerability l Use a dictionary attack on the password. l This protocol enables an offline attack. l Let P* be a word in a dictionary of likely passwords. l Compute:  D(P*, E(P,K)) = K*  D(K*, E(K, “Terminal type:”)) = S  If S makes sense, then P* = P.

Countermeasure l The server supplies the session key, encrypted under the public key of A. l Guessing P only reveals EA(K), which is not useful in attacking the last message. 1. A -> B : E(P, EA) 2. B -> A : E(P, EA(K)) 3. B -> A : E(K, “Terminal type:”)

Bellovin-Merritt Protocol l A -> B : A, E(P, EA) l B -> A : E(P, EA(K)) l A -> B : E(K, rA) l B -> A : E(K, (rA, rB)) l A -> B : E(K, rB)