Presentation is loading. Please wait.

Presentation is loading. Please wait.

刘振 上海交通大学 计算机科学与工程系 电信群楼3-509

Published byΒαλτάσαρ Ζάχος Modified over 6 years ago

Similar presentations

Presentation on theme: "刘振 上海交通大学 计算机科学与工程系 电信群楼3-509"— Presentation transcript:

1 刘振 上海交通大学 计算机科学与工程系 电信群楼3-509 liuzhen@sjtu.edu.cn
网络安全技术 刘振 上海交通大学 计算机科学与工程系 电信群楼3-509

2 Authentication and Key Exchange

3 Authentication Alice proves her identity to Bob
Alice and Bob can be humans or computers May also require Bob to prove that he is Bob (mutual authentication) E.g. ATM machines

4 Authentication Authentication on a stand-alone computer with physically secure connection is relatively simple Authentication over a network is much more complex Attacker can passively observe messages Attacker can replay messages Usually need an encrypted channel to do so securely

5 Authentication Example: ATM Machine Protocol
Insert ATM card Enter PIN Correct PIN? Yes? Conduct your transaction(s) No? Machine eats card Authentication between a prover and a verifier with physically secure connection is relatively simple. Authentication over an open network is more complex.

6 One-way authentication over an open network
There may have eavesdroppers on an open network. Username, password Alice Server An eavesdropper can steal Alice’s login information and then logon to the Server as Alice by replaying Alice’s login information (replay attack).

7 One-way authentication over an open network
How about PK, Certserver Alice Server EPK(Username, password) Secure channel or Username, h(password) Alice Server Adversary simply replays EPK(Username, password) or h(password) in the impersonation of Alice in the replay attack.

8 Challenge-Response One-Way Authentication
To defend against replay attack Suppose Bob wants to authenticate Alice Challenge sent from the verifier, Bob, to the prover, Alice Only Alice should be able to provide the correct response N Alice Server F(passwd, N) Challenge N is a nonce (number used only once) N does not need to be a random number F(passwd, N) is the response where F is a one-way function and “passwd” is the password of Alice Examples of F: hash function, block cipher Only Alice and the Server know the value of passwd. Hence only Alice can provide the correct response to the Server.

9 Challenge-Response One-Way Authentication
If Alice is a “device”, passwd can be changed to a symmetric key “I’m Alice” Nonce h(K, Nonce) Bob, K Alice, K Usually, we ignore the first message flow from Alice to Bob when describing a protocol: Nonce h(K, Nonce) Alice, K Bob, K

10 Other Challenge-Response Techniques (symmetric key based)
Nonce MAC(K, Nonce) Alice, K Bob, K E(K, Nonce) Nonce Alice, K Bob, K Nonce E-1(K, Nonce) Alice, K Bob, K

11 Mutual Authentication
Alice authenticates Bob and Bob authenticates Alice. Suppose Alice and Bob pre-share a symmetric key KAB. IDAlice, R1 R2, E(KAB ,”IDBob, R1”) E(KAB ,”IDAlice, R1, R2”) Alice Bob

12 Public Key Notations and Assumption
Encrypt M under Alice’s public key: {M}Alice Sign M with Alice’s private key: [M]Alice All public keys are assumed to be certified (e.g. digital certificates) and become publicly known.

13 Public Key Based One-Way Authentication
{R}Alice R Alice Bob R [R]Alice Alice Bob

14 Public Keys Don’t use the same key pair for encryption and signing
One key pair for encryption/decryption A different key pair for signing/verifying signatures In a nutshell, one key pair for one purpose

15 Key Exchange A Key Exchange Protocol is a communication protocol between two parties with the purpose of establishing a session key after each successful run of the protocol. E.g. Diffie-Hellman Key Exchange Protocol A session key is used for generating all other keys used for one particular session E.g. derived keys can be used for confidentiality; some other derived keys can be used for message authentication/integrity Why not use the long-term pre-shared symmetric key for all the sessions? Reduce the chance of having all sessions compromised The objective of using session keys for different sessions is that if all the keys of one session have been compromised, the keys for other sessions would remain secure as long as the long-term keys are secure. Sometimes, we also want Perfect Forward Secrecy (PFS) To be discussed later

16 Key Exchange – Adversarial Capabilities
When designing a key exchange protocol, we have to determine the capabilities of the potential adversaries first. E.g. If the key exchange protocol will only be used with the presence of passive adversaries (i.e. eavesdroppers), then Diffie-Hellman Key Exchange Protocol is considered secure. However, if an active adversary is present (e.g. a man-in-the-middle attacker), then Diffie-Hellman Key Exchange Protocol is NOT considered secure. In the following, let’s consider that an active adversary is present. The adversary can intercept, modify and replay messages exchanged between any two communicating parties.

17 Key Exchange (Public Key Based)
IDAlice, R IDBob, {R,K}Alice {R +1,K}Bob Alice Bob K is the session key Is this secure? An adversary can impersonate Bob.

18 Key Exchange (Public Key Based)
IDAlice, R IDBob, [R,K]Bob [R +1,K]Alice Alice Bob K is the session key Is this secure? Even a passive adversary can find out the session key value.

19 Key Exchange (Public Key Based)
IDAlice, R IDBob, {[R,K]Bob}Alice {[R +1,K]Alice}Bob Alice Bob

20 Perfect Forward Secrecy
The concern… Alice encrypts message with long-term pre-shared key KAB and sends ciphertext to Bob Trudy records ciphertext and later attacks Alice’s (or Bob’s) computer to find KAB Then Trudy decrypts recorded messages Perfect forward secrecy (PFS): Trudy cannot later decrypt recorded ciphertext Even at some later time that Trudy gets key KAB or other secret(s) Does any of the previously discussed protocols supports PFS?

21 Perfect Forward Secrecy
Can use Diffie-Hellman for PFS Recall Diffie-Hellman: public g and p ga mod p gb mod p Alice Bob Secure against passive adversaries. Insecure against active adversaries, e.g. MITM attacker. How to have PFS while secure against active adversaries? To defend against active adversaries Use nonce to defend against replay attack Use authentication to defend against impersonation attack

22 Perfect Forward Secrecy
E(KAB, ga mod p) E(KAB, gb mod p) Alice Bob Session key KS = gab mod p Alice forgets a, Bob forgets b Note: Not even Alice and Bob can later recover KS

23 Public-key-based Key Exchange with PFS
“I’m Alice”, RA RB, [{RA, gb mod p}Alice]Bob [{RB, ga mod p}Bob]Alice Bob Alice Session key is K = gab mod p Alice forgets a and Bob forgets b If Trudy later gets Bob’s and Alice’s secrets, she cannot recover session key K

24 Summary Authentication Key exchange Perfect Forward secrecy
One-way authentication Mutual authentication Passive adversaries vs. active adversaries Replay attack, impersonation attack, Challenge-response Key exchange Perfect Forward secrecy

Download ppt "刘振 上海交通大学 计算机科学与工程系 电信群楼3-509"

Similar presentations

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
CMSC 414 Computer (and Network) Security Lecture 21 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 21 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
CMSC 414 Computer and Network Security Lecture 23 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 23 Jonathan Katz.
Network Security – Part 2 V.T. Raja, Ph.D., Oregon State University.

Network Security – Part 2 V.T. Raja, Ph.D., Oregon State University.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
Strong Password Protocols

Strong Password Protocols
Network Security – Part 2 (Continued) Lecture Notes for May 8, 2006 V.T. Raja, Ph.D., Oregon State University.

Network Security – Part 2 (Continued) Lecture Notes for May 8, 2006 V.T. Raja, Ph.D., Oregon State University.
Chapter 9 Simple Authentication Protocols

Chapter 9 Simple Authentication Protocols
1 Lecture 9: Cryptographic Authentication objectives and classification one-way –secret key –public key mutual –secret key –public key establishing session.

1 Lecture 9: Cryptographic Authentication objectives and classification one-way –secret key –public key mutual –secret key –public key establishing session.
Digital Signatures, Message Digest and Authentication Week-9.

Digital Signatures, Message Digest and Authentication Week-9.
The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Authentication Protocols (I): Secure Handshake.

The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Authentication Protocols (I): Secure Handshake.
Network Security and It’s Issues Presenter Prosanta Gope Advisor Prof. Tzonelih Hwang Quantum Information and Network Security Lab, NCKU,2015.

Network Security and It’s Issues Presenter Prosanta Gope Advisor Prof. Tzonelih Hwang Quantum Information and Network Security Lab, NCKU,2015.

Similar presentations

Ads by Google