Network Security and It’s Issues Presenter Prosanta Gope Advisor Prof. Tzonelih Hwang Quantum Information and Network Security Lab, NCKU,2015

Flash Back Part 3  Protocols 2

Outline  Network Security Basics.  Understating the Purpose of Mutual Authentication  Symmetric Key based Mutual Authentication.  Public Key based Mutual Authentication.  Understating Secure Socket Layer (SSL)

Network Security Basics

Network Security Services  Confidentiality  Integrity  Authentication  Nonrepudiation  Access Control  Availability

Network Network Security Services  Confidentiality  Maintaining the privacy of data  Integrity  Detecting that the data is not tampered with  Authentication  Establishing proof of identity  Nonrepudiation  Ability to prove that the sender actually sent the data  Access Control  Access to information resources are regulated  Availability  Computer assets are available to authorized parties when needed SERVICES

Something Well-known in Network Security World

Friends and enemies: Alice, Bob, Trudy  Bob, Alice (lovers!) want to communicate “securely”  Trudy (intruder) may intercept, delete, add messages secure sender secure receiver channel data, control messages data Alice Bob Trudy

Protocol  Human protocols  the rules followed in human interactions o Example: Asking a question in class  Networking protocols  rules followed in networked communication systems o Examples: HTTP, FTP, etc.  Security protocol  the (communication) rules followed in a security application o Examples: SSL, IPSec, Kerberos, etc.

Ideal Security Protocol  Must satisfy security requirements o Requirements need to be precise  Efficient o Small computational requirement o Small bandwidth usage, minimal delays…  Robust o Works even if environment changes  Easy to use & implement, flexible…  Difficult to satisfy all of these!

Secure Entry to NSA 1. Insert badge into reader 2. Enter PIN 3. Correct PIN? Yes? Enter No? Get shot by security guard

ATM Machine Protocol 1. Insert ATM card 2. Enter PIN 3. Correct PIN? Yes? Conduct your transaction(s) No? Machine (eventually) eats card

Authentication Protocols

Authentication  Alice must prove her identity to Bob o Alice and Bob can be humans or computers  May also require Bob to prove he’s Bob (mutual authentication)  Probably need to establish a session key  May have other requirements, such as o Use public keys o Use symmetric keys o Use hash functions o Anonymity, etc., etc.

Simple Authentication Alice Bob “I’m Alice” Prove it My password is “frank”  Simple and may be OK for standalone system  But insecure for networked system o Subject to a replay attack (next 2 slides) o Also, Bob must know Alice’s password

Authentication Attack Alice Bob “I’m Alice” Prove it My password is “frank” Trudy

Authentication Attack Bob “I’m Alice” Prove it My password is “frank” Trudy  This is an example of a replay attack  How can we prevent a replay?

Simple Authentication Alice Bob I’m Alice, my password is “frank”  More efficient, but…  … same problem as previous version

Better Authentication Alice Bob “I’m Alice” Prove it h(Alice’s password)  Better since it hides Alice’s password o From both Bob and Trudy  But still subject to replay

Challenge-Response  To prevent replay, use challenge-response o Goal is to ensure “freshness”  Suppose Bob wants to authenticate Alice o Challenge sent from Bob to Alice  Challenge is chosen so that… o Replay is not possible o Only Alice can provide the correct response o Bob can verify the response

Nonce  To ensure freshness, can employ a nonce o Nonce == number used once  What to use for nonces? o That is, what is the challenge?  What should Alice do with the nonce? o That is, how to compute the response?  How can Bob verify the response?  Should we rely on passwords or keys?

Challenge-Response Bob “I’m Alice” Nonce h(Alice’s password, Nonce)  Nonce is the challenge  The hash is the response  Nonce prevents replay, ensures freshness  Password is something Alice knows  Note: Bob must know Alice’s pwd to verify Alice

Generic Challenge-Response Bob “I’m Alice” Nonce Something that could only be Alice from Alice (and Bob can verify)  In practice, how to achieve this?  Hashed password works, but…  Encryption is better here (Why?)

Symmetric Key Notation  Encrypt plaintext P with key K C = E(P,K)  Decrypt ciphertext C with key K P = D(C,K)  Here, we are concerned with attacks on protocols, not attacks on crypto o So, we assume crypto algorithms are secure

Authentication: Symmetric Key  Alice and Bob share symmetric key K  Key K known only to Alice and Bob  Authenticate by proving knowledge of shared symmetric key  How to accomplish this? o Cannot reveal key, must not allow replay (or other) attack, must be verifiable, …

Authentication with Symmetric Key Alice, K Bob, K “I’m Alice” E(R,K)  Secure method for Bob to authenticate Alice  Alice does not authenticate Bob  So, can we achieve mutual authentication? R

Mutual Authentication? Alice, K Bob, K “I’m Alice”, R E(R,K)  What’s wrong with this picture?  “Alice” could be Trudy (or anybody else)!

Mutual Authentication  Since we have a secure one-way authentication protocol…  The obvious thing to do is to use the protocol twice o Once for Bob to authenticate Alice o Once for Alice to authenticate Bob  This has got to work…

Mutual Authentication Alice, K Bob, K “I’m Alice”, R A R B, E(R A, K) E(R B, K)  This provides mutual authentication…  …or does it? See the next slide

Mutual Authentication Attack Bob, K 1. “I’m Alice”, R A 2. R B, E(R A, K) Trudy Bob, K 3. “I’m Alice”, R B 4. R C, E(R B, K) Trudy 5. E(R B, K)

Let’s Resolve this Problem

Symmetric Key Mutual Authentication Alice, K Bob, K “I’m Alice”, R A R B, E(“Bob”,R A,K) E(“Alice”,R B,K)  Do these “insignificant” changes help?  Yes!

Problem Statement In Symmetric Key based Authentication Protocol Alice and Bob need to have a Shared Secret Key, Where Distribution of Keys among the Participants is a tedious Job.

Welcome to the World of Public-Key Crypto-System

35 Public Keys and Trust Public Key: P A Secret key: S A Public Key: P B Secret key: S B How are public keys stored? How to obtain the public key? How does Bob know or ‘trusts’ that P A is Alice’s public key?

36 Distribution of Public Keys  Public announcement: users distribute public keys to recipients or broadcast to community at large  Publicly available directory: can obtain greater security by registering keys with a public directory  Public Key Can Also Achieve Through CA

Public Key Notation  Encrypt M with Alice’s public key: {M} Alice  Sign M with Alice’s private key: [M] Alice  Anybody can use Alice’s public key  Only Alice can use her private key

Public Key Authentication Alice Bob “I’m Alice” {R} Alice R  Is this secure?  Trudy can get Alice to decrypt anything!

Public Key Authentication Alice Bob “I’m Alice” R [R] Alice  Is this secure?  Trudy can get Alice to sign anything!

Public Keys  Generally, a bad idea to use the same key pair for encryption and signing  Instead, should have… o …one key pair for encryption/decryption… o …and a different key pair for signing/verifying signatures

Session Key  Usually, a session key is required o I.e., a symmetric key for a particular session o Used for confidentiality and/or integrity  How to authenticate and establish a session key (i.e., shared symmetric key)? o When authentication completed, want Alice and Bob to share a session key o Trudy cannot break the authentication… o …and Trudy cannot determine the session key

Authentication & Session Key Alice Bob “I’m Alice”, R {R,K} Alice {R +1,K} Bob  Is this secure? o Alice is authenticated and session key is secure o Alice’s “nonce”, R, useless to authenticate Bob o The key K is acting as Bob’s nonce to Alice  No mutual authentication

Public Key Authentication and Session Key Alice Bob “I’m Alice”, R [R,K] Bob [R +1,K] Alice  Is this secure? o Mutual authentication (good), but… o … session key is not secret (very bad)

Public Key Authentication and Session Key Alice Bob “I’m Alice”, R {[R,K] Bob } Alice {[R +1,K] Alice } Bob  Is this secure?  Seems to be OK  Mutual authentication and session key!

Public Key Authentication and Session Key Alice Bob “I’m Alice”, R [{R,K} Alice ] Bob [{R +1,K} Bob ] Alice  Is this secure?  Seems to be OK

Perfect Forward Secrecy  Consider this “issue”… o Alice encrypts message with shared key K and sends ciphertext to Bob o Trudy records ciphertext and later attacks Alice’s (or Bob’s) computer to recover K o Then Trudy decrypts recorded messages  Perfect forward secrecy (PFS): Trudy cannot later decrypt recorded ciphertext o Even if Trudy gets key K or other secret(s)  Is PFS possible?

Naïve Session Key Protocol  Trudy could record E(K S, K)  If Trudy later gets K then she can get K S o Then Trudy can decrypt recorded messages Alice, K Bob, K E(K S, K) E(messages, K S )

Then How to Achieve Perfect Forward Secrecy (PFS)

With the Help of Diffie-Hellman Key- Agreement Protocol

Key Agreement: Diffie-Hellman Protocol Key agreement protocol, both A and B contribute to the key Setup: p prime and g generator of Z p *, p and g public. K = (g b mod p) a = g ab mod p g a mod p g b mod p K = (g a mod p) b = g ab mod p Pick random, secret a Compute and send g a mod p Pick random, secret b Compute and send g b mod p

MIM in Diffie-Hellman g a mod n g b mod n g c mod n Alice computes g ac mod n and Bob computes g bc mod n !!!

Oh! No.. Can Anyone Help Me to Achieve PFS? Oh! No.. Can Anyone Help Me to Achieve PFS?

Perfect Forward Secrecy  Session key K S = g ab mod p  Alice forgets a, Bob forgets b  So-called Ephemeral Daffier-Hellman  Neither Alice nor Bob can later recover K S  Are there other ways to achieve PFS? Alice: K, a Bob: K, b E(g a mod p, K) E(g b mod p, K)

Mutual Authentication, Session Key and PFS Alice Bob “I’m Alice”, R A R B, [{R A, g b mod p} Alice ] Bob [{R B, g a mod p} Bob ] Alice  Session key is S K = g ab mod p  Alice forgets a and Bob forgets b  If Trudy later gets Bob’s and Alice’s secrets, she cannot recover session key S K

Three-Party Mutual Authentication and Key-Distribution Using Symmetric-Key Crypto System Part 3  Protocols 55

Meet Our Participants Part 3  Protocols 56

Part 3  Protocols 57 Trudy Alice Bob Can be Treated as Serve r

Assumptions Part 3  Protocols 58

Part 3  Protocols 59 Trudy Alice Bob ?Share Key

Trudy M1 M2 M3 M4

Trudy M1 M2 M3 M4 Decrypt: M3 Check: ? Na Get : Kab Decrypt: M4 Check: ? Nb Get : Kab Kab

Secure communication

Understanding SSL Part 3  Protocols 63

64 古早密碼學 古典密碼學 資安號 Privacy Integrit y Authentication Network Security Services Authentication

THANK YOU I have questions…