Presentation is loading. Please wait.

Presentation is loading. Please wait.

@Yuan Xue Authentication Protocol and System Yuan Xue.

Similar presentations


Presentation on theme: "@Yuan Xue Authentication Protocol and System Yuan Xue."— Presentation transcript:

1 @Yuan Xue (yuan.xue@vanderbilt.edu) Authentication Protocol and System Yuan Xue

2 @Yuan Xue (yuan.xue@vanderbilt.edu) Authentication Basics User Authentication is the process of reliably verifying the identity of someone (or something) A computer/application/system authenticates another computer A computer authenticates a person  User ’ s secret must be remembered by the user Data Authentication(Integrity) Integrity = data integrity + source authentication + non-repudiation Source authentication vs. non-repudiation  Source authentication protects communication parties from the third party  Non-repudiation protects the communication parties from each other MAC  data integrity + data source authentication Digital Signature  data integrity + data source authentication + non-repudiation

3 @Yuan Xue (yuan.xue@vanderbilt.edu) Authentication Basics Types of Authentication One-way authentication vs. Mutual authentication One-time Authentication vs. combined with key exchange (part of secure communication) Authentication +Key exchange Key Secure communication (encryption+MAC)

4 @Yuan Xue (yuan.xue@vanderbilt.edu) Authentication Approaches Password-based Address-based Cryptographic (Focus) Other approaches Bio-metrics What you know What you have Who you are Where you are Basic Guideline

5 @Yuan Xue (yuan.xue@vanderbilt.edu) Password Basics A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource. Criteria to pick a password -- easy to remember, hard to guess. The passwords must be kept secret. They are usually stored in a file or a database so that the system can perform password verification when a user attempts to log in or access a restricted resource. Reference: http://en.wikipedia.org/wiki/Passwordhttp://en.wikipedia.org/wiki/Password http://en.wikipedia.org/wiki/Password_cracking

6 @Yuan Xue (yuan.xue@vanderbilt.edu) Password-Based Authentication Authentication based on password (what you know) Pro Easy to use Con Insecure: Eavesdropping Solution  combine with cryptography-based approaches Alice Bob I ’ m Alice, my passwd is 123456

7 @Yuan Xue (yuan.xue@vanderbilt.edu) Password Storage To preserve confidentiality of passwords, they are typically not stored in cleartext form. Password storage formats include: Hash function: a one-way hash function is applied to the password, possibly in combination with other data (e.g., salt), and the resulting value is stored. When a user later attempts to authenticate by entering the password, the same function is applied to the entered value and the result is compared with the stored value. If they match, there is an extremely high probability that the entered password was correct.

8 @Yuan Xue (yuan.xue@vanderbilt.edu) Password cracking Password cracking is the process of recovering passwords from data that has been stored in a computer system or transmitted in the network. Offline password guessing Online password guessing Offline password guessing The attacker possesses the hashed password can either try to reverse the hash function or test guesses for the password by applying the one-way function to each guess. Online password guessing Without the hashed version of a password, the attacker can still attempt access to the computer system in question with guessed passwords. Solution-- existing systems typically limit the number of failed access attempts

9 @Yuan Xue (yuan.xue@vanderbilt.edu) Password Cracking (Cont’d) Password Cracking Methods Exploit weaknesses of poorly designed password hashing scheme  E.g., LM (LanManager) used in Microsoft Windows XP.LM (LanManager) Brute-force and precomputation attacks -- hash a large number of words or random permutations and comparing the result of each guess to stored hashed password.  Solution: Salting Other ways to obtain passwords social engineering, keystroke logging, login spoofing, dumpster diving, phishing, shoulder surfing, timing attack, acoustic cryptanalysis, using a Trojan Horse or virus, identity management system attacks (such as abuse of Self-service password reset) and compromising host security. social engineeringkeystroke logginglogin spoofingdumpster divingphishingshoulder surfingtiming attackacoustic cryptanalysisTrojan HorsevirusSelf-service password reset

10 @Yuan Xue (yuan.xue@vanderbilt.edu) Address-based Authentication Authentication based on where you are Infer the identity of the source based on the network address Example IEEE Xexplore/ACM DL Unix rtools Pro Easy to use Transparent to end user

11 @Yuan Xue (yuan.xue@vanderbilt.edu) Address-based Authentication In UNIX, hosts.equiv and.rhosts files list hosts and users that are trusted by the local host when a connection is made using the rshd servicershd A global file /etc/hosts.equiv contains trusted remote hosts. In each user’s home directory, a per-user.rhosts file contains host-user pairs.

12 @Yuan Xue (yuan.xue@vanderbilt.edu) Address-based Authentication File format hostname [username] + anyhost/user Example hosts.equiv entries ( Local computer A ) + +  Allows any user from any host to connect to A B +  Allows any user from the remote hosts B to connect to A. + Alice  Allows the user Alice to connect to A from any remote host.

13 @Yuan Xue (yuan.xue@vanderbilt.edu) Address-based Authentication Example.rhosts entries In these examples, the.rhosts file is located as the home directory of the user Alice on computer A. + +  Allows any user from any host to connect to this host (A) as the user Alice. B Bob  Allows the user Bob from the remote host B to connect to A as the user Alice.

14 @Yuan Xue (yuan.xue@vanderbilt.edu) Address-based Authentication How the hosts.equiv and the.rhosts file combine Rule: the most restrictive combination of the entries applies hosts.equiv file with.rhosts in the home directory of the user Alice with the following entry: B + In this case, these entries combine to mean that only the user Alice from the remote host B can connect to A as Alice.

15 @Yuan Xue (yuan.xue@vanderbilt.edu) Issues With Address-based Authentication Entry  severe security hazards It allows any user on any machine to connect to the local host as the same user name. If it is specified in the /etc/hosts.equiv file, it allows any user on any machine to connect to the local host as any user. If A trusts B and B is hacked, then the attacker could gain access to A. Network address impersonation (address spoofing)

16 @Yuan Xue (yuan.xue@vanderbilt.edu) Cryptographic Authentication For connection-oriented communication, overall process involves authentication + secure communication (connection) Based on prior knowledge/ownership of master key Dependably verify the knowledge/ownership of key Distribution of session keys integrity protection and/or encryption of the data using session keys authentication What you Know/have

17 @Yuan Xue (yuan.xue@vanderbilt.edu) Cryptographic Authentication For connection-less communication, overall process involves authentication + data transmission Based on prior knowledge/ownership of key Generation of data encryption/MAC generation keys integrity protection and/or encryption of the data using data encryption/MAC generation keys One time authentication E.g., prove driver’s identify to a secured gate. What you Know/have

18 @Yuan Xue (yuan.xue@vanderbilt.edu) Cryptographic Authentication Basic idea Alice proves her identity to Bob by performing a cryptographic operation on a quantity (challenge) Bob supplies. The cryptographic operation performed by Alice is based on Alice ’ s key. Cryptographic operations include  Symmetric key encryption, asymmetric key encryption, hash operations.

19 @Yuan Xue (yuan.xue@vanderbilt.edu) Cryptographic Authentication Approaches Symmetric-key based  Distributed (communication peers share a master key)  KDC-based (communication peers share master keys with KDC) Asymmetric-key based Two types of authentication One-way authentication (login only) Mutual authentication Other issues How to retrieve the key (human being can not remember it)

20 @Yuan Xue (yuan.xue@vanderbilt.edu) Authentication using Symmetric-Key (Distributed One-Way Authentication) Priori: Alice and Bob share a master key Result: Alice proves her identity to Bob AliceBob I ’ m Alice R F(K AB, R) E(K AB, R) H(K AB ||R)

21 @Yuan Xue (yuan.xue@vanderbilt.edu) Authentication using Symmetric-Key (Distributed One-Way Authentication) Priori: Alice and Bob share a master key Result: Alice proves her identity to Bob; If R is a timestamp, Bob can also prove his identity (mutual authentication) Requires reversible cryptography AliceBob I ’ m Alice R E(K AB, R)

22 @Yuan Xue (yuan.xue@vanderbilt.edu) Authentication using Symmetric-Key (Distributed Mutual Authentication) Limitation Too many messages Could we reduce them? AliceBob I ’ m Alice R1 F(K AB, R1) E(K AB, R) H(K AB ||R) R2 F(K AB, R2)

23 @Yuan Xue (yuan.xue@vanderbilt.edu) Authentication using Symmetric-Key (Distributed Mutual Authentication) AliceBob I ’ m Alice, R2 R1, F(K AB, R2) F(K AB, R1) Simplify AliceBob I ’ m Alice R1 F(K AB, R1) R2 F(K AB, R2) Any Problem?

24 @Yuan Xue (yuan.xue@vanderbilt.edu) Reflection Attack AliceBob I ’ m Alice, R2 R1, F(K AB, R2) F(K AB, R1) Reflection attack A way of attacking a challenge-response authentication system which uses the same protocol in both directions. The basic idea is to trick the target into providing the answer to its own challenge. Bob I’m Alice, R1 R3, F(K AB, R1) Cathy Bob I’m Alice, R2 R1, F(K AB, R2) Cathy F(K AB, R1) Flawed protocol design This is what’s going to happen

25 @Yuan Xue (yuan.xue@vanderbilt.edu) Reflection Attack -- Solutions Principle: Don’t have Alice and Bob do exactly the same thing Different protocol along the two directions The responder sends its identifier within the response, so if it receives a response that has its identifier in it, it can reject it. Have the initiator prove its identity first Initiating party to first respond to challenges before the target party responds to its challenges. AliceBob I ’ m Alice, E(K AB, R2) E(K AB, f(R2)||R1) E(K AB, f(R1))

26 @Yuan Xue (yuan.xue@vanderbilt.edu) Announcement Homework 3 release Midterm Exam Signup

27 @Yuan Xue (yuan.xue@vanderbilt.edu) Authentication using Symmetric-Key ( KDC-based Authentication) Basic idea KDC and A can establish a trust relationship using K A KDC and B can establish a trust relationship using K B KDC needs to provide A and B a shared secret based on their master keys so that they could use to authenticate each other Once A and B has a a shared secret (K S ), the procedure used in distributed symmetric-key-based authentication can be used to perform mutual authentication. Step 1 KDC provides A and B a shared secret K S Step 2 A and B perform mutual authentication using K S

28 @Yuan Xue (yuan.xue@vanderbilt.edu) Step 1 Similar to Secret Key Distribution Important Issue Replay attack Solution Use of nonce Use of timestamp ID A ||ID B ||N1 E[K A, Ks||ID B ||N1||ticket] E[K B, Ks||ID A ] Needham-Schroeder Both are vulnerable to replay attack A B E[K B, Ks||ID A ] KDC ID A ||ID B ||T1 E[K A, Ks||ID B ||T1||ticket] E[K B, Ks||ID A ||T2] A B KDC Kerberos

29 @Yuan Xue (yuan.xue@vanderbilt.edu) Step 2 Combine two one-way distributed authentication procedure ID A ||ID B ||T1 E[K A, Ks||ID B ||T1||ticket] E[K B, Ks||ID A ||T2] AB E[K B, Ks||ID A ||T2], E[Ks, N2] KDC E[Ks, f(N2), N3] E[Ks, f(N3)]

30 @Yuan Xue (yuan.xue@vanderbilt.edu) Kerberos An Authentication Service Based on client-server model (user and server provider) Mutual authentication support: between user and server Key assumption The server can not rely on the client host to authenticate user Basics KDC-based authentication using symmetric key Based on Needham-Schroeder protocol Use “ticket” to distribute the key Use “authenticator" to prove the identity of a user Main entities  Authentication Server (AS)  Ticket Granting Server (TGS)

31 @Yuan Xue (yuan.xue@vanderbilt.edu)

32

33 Authentication vs. Key Distribution Cryptographic Authentication Based on prior knowledge/ownership of key Dependably verify the knowledge of key Distribution of session keys (for connection-oriented communication) Key Distribution Prior knowledge/ownership of master keys Distribution of session keys after verification of master keys Symmetric key A, B share a master key with KDC A and B share a master key Asymmetric key A and B both have a pair of public and private keys The public keys of A and B are reliably distributed to each other

34 @Yuan Xue (yuan.xue@vanderbilt.edu) Authentication Summary Types One-way vs. Mutual authentication-only vs. secure data communication (any authentication only protocol is vulnerable to man-in-the-middle attack) Secure communication An initial authentication handsake Distribution of session keys Then integrity protection and/or encryption of the data Approaches Symmetric key (KDC, distributed), Asymmetric key Authentication Service Kerberos (composed Needham-Schroeder protocol) Attacks to Authentication Replay Attack (use of Nonce/Timestamp) Reflection Attack

35 @Yuan Xue (yuan.xue@vanderbilt.edu) Timestamp vs. Nonce Both are used to prevent replay Timestamp needs synchronized system Timestamp itself shows the “freshness” of the message  Use fewer messages Has a implicit structure More suitable for connectionless communication Nonce Nonce itself does not show anything about the “freshness”. It has to come in the form of challenge-response pair  more messages Structure on Nonce to prevent reflection attack Challenge (N) can be encrypted, response encrypts a function of N (f(N))  Encrypted challenge ensures the randomness (unpredictable) of the nounce  If N has a structure, encrypted N is a weak way to show one’s ID in the challenge (no timing info, could be a replay)

36 @Yuan Xue (yuan.xue@vanderbilt.edu) Misc How to retrieve the key Computer: easy Human can not remember the key  How to convernt password  key  Doing a hash of the password  Using the password to encrypt/decrypt a key which is stored in a computer/dir service

37 @Yuan Xue (yuan.xue@vanderbilt.edu) Readings Required Readings [WS] 15.1-15.4 Suggested Reading [KPS] Chapter 11


Download ppt "@Yuan Xue Authentication Protocol and System Yuan Xue."

Similar presentations


Ads by Google