Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 3 Basic Protocols. 3.1 Key Exchange n Session Key - Why? n Key Exchange with Symmetric Cryp. KDC request E KA (K AB ), E KB (K AB ) E KB (K AB.

Published byAshley Fields Modified over 9 years ago

Similar presentations

Presentation on theme: "Chapter 3 Basic Protocols. 3.1 Key Exchange n Session Key - Why? n Key Exchange with Symmetric Cryp. KDC request E KA (K AB ), E KB (K AB ) E KB (K AB."— Presentation transcript:

1 Chapter 3 Basic Protocols

2 3.1 Key Exchange n Session Key - Why? n Key Exchange with Symmetric Cryp. KDC request E KA (K AB ), E KB (K AB ) E KB (K AB ) KDC : Trust?, Bottleneck, Security of KDC

3 n Key Exchange with Public-Key Cypt. u Public keys from KDC KDC E K BP (K AB ) K BP

4 n Man-in-the-Middle Attack u Public keys by communication u Attack by Mallory since there is no verification of each other. Mallory 4.K MP Alice Bob 1.K AP 5.E K MP (m) 2. K MP 3.K BP 6.E K MP (m)

5 n Interlock Protocol(Rivest and Shamir)-I u Half of the message is useless without the other half! u Note that half of (E K BP (m)) = half of (E K BP (D K MR (E K MP (m))) Alice Bob 1.K AP 3.First half of (E K BP (m)) 5.Last half of (E K BP (m)) 2.K BP 4.First half of (E K AP (m)) 6.Last half of (E K AP (m))

6 n Interlock Protocol(Rivest and Shamir)-II Alice Bob 1.K AP  K MP 3.First half of (E K MP (m))  E K BP ( D K MR ( First half of (E K MP (m)) ) the first half of E K BP (m) 2. K MP  K BP 4.First half of (E K MP (m))

7 n Key Exchange with Digital Signatures u Certificate of one’s public key u Hard to impersonate someone (DB attack) n Key and Message Transmission n Key and Message Broadcasting Alice Bob 1.E K AB (m), E K BP (K AB )

8 Username, I k =“I’m Alice” Request for Password Password P k p wiretapping p guessing on password - online / offline guessing - short password, no password, username=password p attack on password file Client Server password file I k : h( P k ) P k Username = I k h I k Attack on Password 3.2 Authentication n Using One-way Functions

9 Password file h ( password B ) ?=?= B, password B h A : h( password A ) B : h( password B ) C : h( password C ) q UNIX Password SYSTEM q Password verification

10 q Server Identity x K Request for Password P assword x K-1  No shared secret between Client and Server q Using One-way Function h( )  Select x 0 and x i = h(x i-1 ) for i = 1,2,3,.. k { k access tickets }  password x k is a user identity for next access Client u SKEY( One-Time Password) F Use h i (r), and host check h(h i (r))=h i+1 (r)

11 n Using Public-key Crypt u Eve may listen to Alice’s login sequence, or have access to the memory of the processor u Step 2 may be generated automatically, so anyone can get the signature of Alice on m F Both may generate random numbers Alice HOST 1. R : Challenge 2. E K AR (R) : Response

12 n Mutual Authentication Using the Interlock Protocol u Shared secret P A and P B u Man-in-the-middle Attack (in trading public keys) Alice Bob 1. E K AB (P A ) 2. E K AB (P B )

13 n SKID u Using MAC n Message Authentication u Use a Signature u With symmetric cryp., need TTP to prove it to the third party Alice Bob 1. R A 3. MAC K AB (R B, A) 2. R B, MAC K AB (R A, R B, B)

14 3.3 Authentication and Key Exchange n Confidentiality and timeliness u Confidentiality :To prevent masquerade and compromise of session keys u Timeliness : to protect replay attack F Sequences – overhead to keep track of numbers F Timestamps – accepted with allowable time windows, should not be used for connection- oriented applications because of sync. Overhead F Challenge/Response – nonce, should not be used for connectionless applications because of “handshake” overhead

15 3.3 Authentication and Key Exchange n Wide-Mouth Frog (1) Alice --> Trent : A, E A (T A, B, K) (2) Trent --> Bob : E B (T B, A, K) u User generates K? n Yahalom (1) Alice --> Bob : A, R A (2) Bob --> Trent : B,E B (A,R A,R B ) (3) Trent --> Alice : E A (B,K,R A,R B ), E B (A,K) (4) Alice --> Bob : E B (A,K), E K (R B ) (5) Bob confirms R B u Receiver Bob first contacts Trent!

16 n Needham-Schroeder (1) Alice --> Trent : A,B,R A (2) Trent --> Alice : E A (R A,B,K,E B (K,A)) (3) Alice --> Bob : E B (K,A) (4) Bob --> Alice : E K (R B ) (5) Alice --> Bob : E K (R B - 1) u All nonce are used to prevent replay attack in the form of challenge: but vulnerable Handshake, or Key confirmation u Mallory with old session key K (3) Mallory --> Bob : E B (K,A) (4) Bob --> Alice(Mallory) : E K (R B ) (5) Mallory --> Bob : E K (R B - 1) u To prevent this, use E B (K,A,T) in (2) F Even with knowledge of K, Step 3 detected as untimely

17 n Newman-Stubblebine u To prevent suppress-replay attack (1) Alice --> Bob : A,R A (2) Bob --> Trent : B, R B, E B (A,R A,T B ) (3) Trent --> Alice : E A (B,R A,K,T B ),E B (A,K,T B ), R B (4) Alice --> Bob : E B (A,K,T B ), E K (R B ) F R A (R B ): assuring Alice(Bob) of timeliness F E B (A,R A,T B ) : request for issuing credentials to Alice. F T B :Time limit on key’s use F No sync. is needed (why?) u Re-authentication without Trent (3) Alice --> Bob : E B (A,K,T B ),R’ A (4) Bob --> Alice : R’ B, E K ( R’ A ) (5) Alice --> Bob : E K (R’ B ) Ticket

18 q Trusted Third-Party stores all the passwords q Kerberos System from MIT Authentication Server (AS) Client Application Server Ticket Granting Server (TG) KERBEROS User Logon Ticket Granting Ticket Service Granting Ticket Service for the Client n Kerberos

19 Kerberos Authentication Server Client Application Server (AS) Ticket Granting Server (TG) Alice, Password ID = ‘Alice’ Alice’s Password  K{Alice} Ticket-granting Ticket = E K1 (‘Alice’, K{Alice-TG}) E K{Alice} (K{Alice-TG}, Ticket-granting Ticket) Service-granting Ticket = E K2 (‘Alice’, K{Alice-AS}) E K{Alice-TG} (K{Alice-AS}, Service-granting Ticket) Ticket-granting Ticket E K {Alice-TG} ( Timestamp ) Service-granting Ticket E K{Alice-AS} ( Timestamp )

20 n Denning-Sacco u using public-key cryptography (1) Alice --> Trent : A,B (2) Trent --> Alice : S T (B,K B ), S T (A,K A ) (3) Alice --> Bob : E B (S A (K,T A )), S T (B,K B ), S T (A,K A ) u Bob can masquerade as Alice (1) Bob --> Trent : B,C (2) Trent --> Bob : S T (B,K B ), S T (C,K A ) (3) Bob --> Carol : E C (S A (K,T A )), S T (A,K A ), S T (C,K C ) u Use the following in (3) (3) Alice --> Bob : E B (S A (A,B,K,T A )), S T (A,K A ), S T (B,K B )

21 3.4 Formal Analysis n Method 1 : Use general spec. language and verification tools u Proving correctness is not equal to proving security n Method 2 : Use expert system u Check if a protocol reaches an undesirable state. u What about unknown flaws? n Method 3 : Logic Model for Knowledge and Belief u BAN logic n Method 4 : View the protocol as an algebraic system

22 3.5 Multiple-Key PKC n Multiple-Key Key Distribution u Let S be the set of keys and let S 1,S 2 be a partition of S u To encrypt, use S 1, and to decrypt, use S 2 (See Table 3.2 in pp.68) n Broadcasting u One key for each - Too many M’s (communication overhead!) u One key for every combinations - Too many keys (huge user storage!) u Use Multiple-key - need to know which subset? u Various schemes proposed

23 3.6 Secret Splitting n Split M into shares m 1,m 2,…. u Each share has no information of M u M can be reconstructed using all shares n Example (1) Trent generates One-Time Pad R and compute S = M XOR R. (2) Trent --> Alice : R (3) Trent --> Bob : S (4) Bob and Alice reconstruct M = S XOR R. u What if any share is lost?

24 3.7 Secret Sharing n (m, n)-threshold scheme u It is possible to construct a sharing scheme you can imagine n With Cheaters u Valid member with invalid share F Fail to reconstruct u Reconstructing with Cheater F Cheater gets all m shares needed to reconstruct

25 n without Trent u All members together create a secret without knowing the secret n without Revealing the Shares u reuse the shares n Verifiable Secret Sharing n Publicly Verifiable Secret Sharing n with Prevention u Use two share “yes” and “no” n with Disenrollment u When one member is dispelled, activate a new scheme (?)

26 3.8 Cryptographic Protection of DB n One Scheme Field 1 : Index h(last name) Field 2 : E last (Information) u without last name, hard to find information u easy attack to construct whole DB

Download ppt "Chapter 3 Basic Protocols. 3.1 Key Exchange n Session Key - Why? n Key Exchange with Symmetric Cryp. KDC request E KA (K AB ), E KB (K AB ) E KB (K AB."

Similar presentations

CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.
Chapter 10 Real world security protocols

Chapter 10 Real world security protocols
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.

1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
Basic Protocols Schneier Ch. Three. Key Exchange w/ Symmetric Crypto 1.Desire A and B on network, sharing secret key with KDC. How??? 2.A request session.

Basic Protocols Schneier Ch. Three. Key Exchange w/ Symmetric Crypto 1.Desire A and B on network, sharing secret key with KDC. How??? 2.A request session.
Computer Science&Technology School of Shandong University Instructor: Hou Mengbo Email: houmb AT sdu.edu.cn Office: Information Security Research Group.

Computer Science&Technology School of Shandong University Instructor: Hou Mengbo houmb AT sdu.edu.cn Office: Information Security Research Group.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Authentication & Kerberos

Authentication & Kerberos
Cryptography and Network Security Chapter 15 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 15 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography and Network Security Chapter 13 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 13 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
1 Chapter 13 – Digital Signatures & Authentication Protocols Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,

1 Chapter 13 – Digital Signatures & Authentication Protocols Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
1 Authentication Applications Digital Signatures Security Concerns X.509 Authentication Service Kerberos Based on slides by Dr. Lawrie Brown of the Australian.

1 Authentication Applications Digital Signatures Security Concerns X.509 Authentication Service Kerberos Based on slides by Dr. Lawrie Brown of the Australian.
 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.

 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.

Similar presentations

Ads by Google