Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 3 Basic Protocols. 3.1 Key Exchange n Session Key - Why? n Key Exchange with Symmetric Cryp. KDC request E KA (K AB ), E KB (K AB ) E KB (K AB.

Similar presentations


Presentation on theme: "Chapter 3 Basic Protocols. 3.1 Key Exchange n Session Key - Why? n Key Exchange with Symmetric Cryp. KDC request E KA (K AB ), E KB (K AB ) E KB (K AB."— Presentation transcript:

1 Chapter 3 Basic Protocols

2 3.1 Key Exchange n Session Key - Why? n Key Exchange with Symmetric Cryp. KDC request E KA (K AB ), E KB (K AB ) E KB (K AB ) KDC : Trust?, Bottleneck, Security of KDC

3 n Key Exchange with Public-Key Cypt. u Public keys from KDC KDC E K BP (K AB ) K BP

4 n Man-in-the-Middle Attack u Public keys by communication u Attack by Mallory since there is no verification of each other. Mallory 4.K MP Alice Bob 1.K AP 5.E K MP (m) 2. K MP 3.K BP 6.E K MP (m)

5 n Interlock Protocol(Rivest and Shamir)-I u Half of the message is useless without the other half! u Note that half of (E K BP (m)) = half of (E K BP (D K MR (E K MP (m))) Alice Bob 1.K AP 3.First half of (E K BP (m)) 5.Last half of (E K BP (m)) 2.K BP 4.First half of (E K AP (m)) 6.Last half of (E K AP (m))

6 n Interlock Protocol(Rivest and Shamir)-II Alice Bob 1.K AP  K MP 3.First half of (E K MP (m))  E K BP ( D K MR ( First half of (E K MP (m)) ) the first half of E K BP (m) 2. K MP  K BP 4.First half of (E K MP (m))

7 n Key Exchange with Digital Signatures u Certificate of one’s public key u Hard to impersonate someone (DB attack) n Key and Message Transmission n Key and Message Broadcasting Alice Bob 1.E K AB (m), E K BP (K AB )

8 Username, I k =“I’m Alice” Request for Password Password P k p wiretapping p guessing on password - online / offline guessing - short password, no password, username=password p attack on password file Client Server password file I k : h( P k ) P k Username = I k h I k Attack on Password 3.2 Authentication n Using One-way Functions

9 Password file h ( password B ) ?=?= B, password B h A : h( password A ) B : h( password B ) C : h( password C ) q UNIX Password SYSTEM q Password verification

10 q Server Identity x K Request for Password P assword x K-1  No shared secret between Client and Server q Using One-way Function h( )  Select x 0 and x i = h(x i-1 ) for i = 1,2,3,.. k { k access tickets }  password x k is a user identity for next access Client u SKEY( One-Time Password) F Use h i (r), and host check h(h i (r))=h i+1 (r)

11 n Using Public-key Crypt u Eve may listen to Alice’s login sequence, or have access to the memory of the processor u Step 2 may be generated automatically, so anyone can get the signature of Alice on m F Both may generate random numbers Alice HOST 1. R : Challenge 2. E K AR (R) : Response

12 n Mutual Authentication Using the Interlock Protocol u Shared secret P A and P B u Man-in-the-middle Attack (in trading public keys) Alice Bob 1. E K AB (P A ) 2. E K AB (P B )

13 n SKID u Using MAC n Message Authentication u Use a Signature u With symmetric cryp., need TTP to prove it to the third party Alice Bob 1. R A 3. MAC K AB (R B, A) 2. R B, MAC K AB (R A, R B, B)

14 3.3 Authentication and Key Exchange n Confidentiality and timeliness u Confidentiality :To prevent masquerade and compromise of session keys u Timeliness : to protect replay attack F Sequences – overhead to keep track of numbers F Timestamps – accepted with allowable time windows, should not be used for connection- oriented applications because of sync. Overhead F Challenge/Response – nonce, should not be used for connectionless applications because of “handshake” overhead

15 3.3 Authentication and Key Exchange n Wide-Mouth Frog (1) Alice --> Trent : A, E A (T A, B, K) (2) Trent --> Bob : E B (T B, A, K) u User generates K? n Yahalom (1) Alice --> Bob : A, R A (2) Bob --> Trent : B,E B (A,R A,R B ) (3) Trent --> Alice : E A (B,K,R A,R B ), E B (A,K) (4) Alice --> Bob : E B (A,K), E K (R B ) (5) Bob confirms R B u Receiver Bob first contacts Trent!

16 n Needham-Schroeder (1) Alice --> Trent : A,B,R A (2) Trent --> Alice : E A (R A,B,K,E B (K,A)) (3) Alice --> Bob : E B (K,A) (4) Bob --> Alice : E K (R B ) (5) Alice --> Bob : E K (R B - 1) u All nonce are used to prevent replay attack in the form of challenge: but vulnerable Handshake, or Key confirmation u Mallory with old session key K (3) Mallory --> Bob : E B (K,A) (4) Bob --> Alice(Mallory) : E K (R B ) (5) Mallory --> Bob : E K (R B - 1) u To prevent this, use E B (K,A,T) in (2) F Even with knowledge of K, Step 3 detected as untimely

17 n Newman-Stubblebine u To prevent suppress-replay attack (1) Alice --> Bob : A,R A (2) Bob --> Trent : B, R B, E B (A,R A,T B ) (3) Trent --> Alice : E A (B,R A,K,T B ),E B (A,K,T B ), R B (4) Alice --> Bob : E B (A,K,T B ), E K (R B ) F R A (R B ): assuring Alice(Bob) of timeliness F E B (A,R A,T B ) : request for issuing credentials to Alice. F T B :Time limit on key’s use F No sync. is needed (why?) u Re-authentication without Trent (3) Alice --> Bob : E B (A,K,T B ),R’ A (4) Bob --> Alice : R’ B, E K ( R’ A ) (5) Alice --> Bob : E K (R’ B ) Ticket

18 q Trusted Third-Party stores all the passwords q Kerberos System from MIT Authentication Server (AS) Client Application Server Ticket Granting Server (TG) KERBEROS User Logon Ticket Granting Ticket Service Granting Ticket Service for the Client n Kerberos

19 Kerberos Authentication Server Client Application Server (AS) Ticket Granting Server (TG) Alice, Password ID = ‘Alice’ Alice’s Password  K{Alice} Ticket-granting Ticket = E K1 (‘Alice’, K{Alice-TG}) E K{Alice} (K{Alice-TG}, Ticket-granting Ticket) Service-granting Ticket = E K2 (‘Alice’, K{Alice-AS}) E K{Alice-TG} (K{Alice-AS}, Service-granting Ticket) Ticket-granting Ticket E K {Alice-TG} ( Timestamp ) Service-granting Ticket E K{Alice-AS} ( Timestamp )

20 n Denning-Sacco u using public-key cryptography (1) Alice --> Trent : A,B (2) Trent --> Alice : S T (B,K B ), S T (A,K A ) (3) Alice --> Bob : E B (S A (K,T A )), S T (B,K B ), S T (A,K A ) u Bob can masquerade as Alice (1) Bob --> Trent : B,C (2) Trent --> Bob : S T (B,K B ), S T (C,K A ) (3) Bob --> Carol : E C (S A (K,T A )), S T (A,K A ), S T (C,K C ) u Use the following in (3) (3) Alice --> Bob : E B (S A (A,B,K,T A )), S T (A,K A ), S T (B,K B )

21 3.4 Formal Analysis n Method 1 : Use general spec. language and verification tools u Proving correctness is not equal to proving security n Method 2 : Use expert system u Check if a protocol reaches an undesirable state. u What about unknown flaws? n Method 3 : Logic Model for Knowledge and Belief u BAN logic n Method 4 : View the protocol as an algebraic system

22 3.5 Multiple-Key PKC n Multiple-Key Key Distribution u Let S be the set of keys and let S 1,S 2 be a partition of S u To encrypt, use S 1, and to decrypt, use S 2 (See Table 3.2 in pp.68) n Broadcasting u One key for each - Too many M’s (communication overhead!) u One key for every combinations - Too many keys (huge user storage!) u Use Multiple-key - need to know which subset? u Various schemes proposed

23 3.6 Secret Splitting n Split M into shares m 1,m 2,…. u Each share has no information of M u M can be reconstructed using all shares n Example (1) Trent generates One-Time Pad R and compute S = M XOR R. (2) Trent --> Alice : R (3) Trent --> Bob : S (4) Bob and Alice reconstruct M = S XOR R. u What if any share is lost?

24 3.7 Secret Sharing n (m, n)-threshold scheme u It is possible to construct a sharing scheme you can imagine n With Cheaters u Valid member with invalid share F Fail to reconstruct u Reconstructing with Cheater F Cheater gets all m shares needed to reconstruct

25 n without Trent u All members together create a secret without knowing the secret n without Revealing the Shares u reuse the shares n Verifiable Secret Sharing n Publicly Verifiable Secret Sharing n with Prevention u Use two share “yes” and “no” n with Disenrollment u When one member is dispelled, activate a new scheme (?)

26 3.8 Cryptographic Protection of DB n One Scheme Field 1 : Index h(last name) Field 2 : E last (Information) u without last name, hard to find information u easy attack to construct whole DB


Download ppt "Chapter 3 Basic Protocols. 3.1 Key Exchange n Session Key - Why? n Key Exchange with Symmetric Cryp. KDC request E KA (K AB ), E KB (K AB ) E KB (K AB."

Similar presentations


Ads by Google