Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSC 482/582: Computer Security

Published byFay Tucker Modified over 5 years ago

Similar presentations

Presentation on theme: "CSC 482/582: Computer Security"— Presentation transcript:

1 CSC 482/582: Computer Security
Cryptographic Protocols CSC 482/582: Computer Security

2 Topics Dramatis Personae and Notation Session and Interchange Keys
Key Exchange Key Generation Cryptographic Key Infrastructure Storing and Revoking Keys Digital Signatures CSC 482/582: Computer Security

3 Dramatis Personae Cathy, the Computer, trusted 3rd party. Alice, the
1st participant Bob, the 2nd participant Eve, the Eavesdropper CSC 482/582: Computer Security

4 Notation X sends Y a message Z encrypted with key k.
X  Y : { Z} k Concatenation of bit sequences A and B A || B Key subscripts indicate ownership kA is the key belonging to user A(lice) kA,B is a key shared by A(lice) and B(ob) Nonces (nonrepeating random numbers) r1, r2 CSC 482/582: Computer Security

5 Symmetric Key Problems
Keys must be distributed in secret. If key is compromised, Eve can decrypt all message traffic encrypted with key. If each pair of users needs a key, number of keys n(n-1) increases rapidly with size of network. CSC 482/582: Computer Security

6 Mixed PK/Classical Encryption
Alice communicates with Bob using PK cipher. Alice randomly generates session key ks. Key ks used only for this single message. Alice enciphers ks with Bob’s public key kB . kB enciphers all session keys Alice uses to communicate with Bob. Called an interchange key. Alice sends { m } ks || { ks } kB to Bob. CSC 482/582: Computer Security

7 Session Key A key used to encrypt a single session. Advantages
Reduces data ciphered with a single key. Protection against replay attacks. Prevents forward search attack. Forward search example Alice client of Bob’s brokerage. Communicates with BUY and SELL messages. Eve enciphers both messages with Bob’s key. Compares intercepted traffic with ciphertext. CSC 482/582: Computer Security

8 Key Exchange Algorithms
Goal: Alice, Bob obtain shared secret key. Requirements: Key cannot be sent in clear: Attacker can intercept key. Key can be sent enciphered, or derived from exchanged data plus data not known to an eavesdropper. Alice, Bob may trust third party (Cathy.) All cryptosystems, protocols publicly known Only secret data is keys or data used to derive keys. Anything transmitted is assumed known to attacker. CSC 482/582: Computer Security

9 Classical Key Exchange
Bootstrap problem: how do Alice, Bob begin? Alice can’t send it to Bob in the clear! Assume trusted third party, Cathy Alice and Cathy share secret key kA. Bob and Cathy share secret key kB. Let Cathy generate shared key ks. Cathy can send it securely to either A or B. CSC 482/582: Computer Security

10 Simple Key Exchange Protocol
Alice Cathy { request for session key to Bob } kA { ks } kA || { ks } kB Bob { ks } kB CSC 482/582: Computer Security

11 Problems How does Bob know he is talking to Alice?
Replay attack: Eve records message from Alice to Bob, later replays it; Bob may think he’s talking to Alice, but he isn’t. Session key reuse: Eve replays key exchange message from Alice to Bob, so Bob re-uses session key. Protocols must provide authentication and defense against replay. CSC 482/582: Computer Security

12 Needham-Schroeder Alice Cathy Alice || Bob || r1 { Alice || Bob || r1 || ks || { Alice || ks } kB } kA Bob { Alice || ks } kB { r2 } ks { r2 – 1 } ks Cathy CSC 482/582: Computer Security

13 Is Alice really talking to Bob?
Second message Cathy encrypted it, since only A, C know key kA. It must be a response to first message as contains r1. Third message Alice knows only Bob can read it since encrypted w/ kB. Any messages enciphered with kS are from Bob, since only Alice, Bob, and Cathy have kS. CSC 482/582: Computer Security

14 Is Bob really talking to Alice?
Third message Cathy encrypted it, since only B, C know key kB. Cathy provides session key, says Alice is other party. Fourth message Uses session key to determine if 3rd was replay. If not, Alice will respond correctly in fifth message. If 3rd message was replay attack, Eve can’t decipher r2 and so can’t respond, or responds incorrectly. CSC 482/582: Computer Security

15 Needham-Schroeder Assumptions
A trusted 3rd party exists, Cathy. Many transactions require 3rd parties. Session keys are always secure. What if Eve can obtain old keys? CSC 482/582: Computer Security

16 Denning-Sacco Modification
Eve can impersonate Alice if she can obtain old ks. 1. Eve replays Alice’s message { Alice || ks } kB. 2. Eve uses old ks to decipher Bob’s random number query. Eve Bob { Alice || ks } kB { r2 } ks { r2 – 1 } ks CSC 482/582: Computer Security

17 Solution How can we avoid replay in step 3 of N-S?
Use time stamp T to detect replay. Weakness: if clocks not synchronized, may either reject valid messages or accept replays. Parties with slow/fast clocks vulnerable to replay. Resetting clock does not eliminate vulnerability. CSC 482/582: Computer Security

18 Needham-Schroeder + Denning-Sacco Mod
Bob will reject message if timestamp T is too old. Alice Cathy Alice || Bob || r1 { Alice || Bob || r1 || ks || { Alice || T || ks } kB } kA Bob { Alice || T || ks } kB { r2 } ks { r2 – 1 } ks CSC 482/582: Computer Security

19 Otway-Rees Protocol Corrects replay attack w/o timestamps.
Not vulnerable to clock skew problems of Denning-Sacco modification. Uses integer n to associate all messages with a particular exchange. CSC 482/582: Computer Security

20 Otway-Rees Protocol Alice Bob
n || Alice || Bob || { r1 || n || Alice || Bob } kA Cathy n || Alice || Bob || { r1 || n || Alice || Bob } kA || { r2 || n || Alice || Bob } kB n || { r1 || ks } kA || { r2 || ks } kB n || { r1 || ks } kA CSC 482/582: Computer Security

21 Argument: Alice talking to Bob
Fourth message If n matches first message, Alice knows it is part of this protocol exchange. Cathy generated ks because only she & Alice know kA . Enciphered part belongs to exchange as r1 matches r1 in encrypted part of first message . CSC 482/582: Computer Security

22 Argument: Bob talking to Alice
Third message If n matches second message, Bob knows it is part of this protocol exchange. Cathy generated ks because only she & Bob know kB . Enciphered part belongs to exchange as r2 matches r2 in encrypted part of second message. CSC 482/582: Computer Security

23 Defeating Replay Attacks
Eve acquires old ks, message in third step: n || { r1 || ks } kA || { r2 || ks } kB Eve forwards appropriate part to Alice: Alice has no ongoing key exchange with Bob: n matches nothing, so is rejected. Alice has ongoing key exchange with Bob: n does not match, so is again rejected. If replay is for the current key exchange, and Eve sent the relevant part before Bob did, Eve could simply listen to traffic; no replay needed. CSC 482/582: Computer Security

24 Kerberos Authentication system
Based on Needham-Schroeder with Denning-Sacco modification. Central server plays role of trusted 3rd party Cathy. Ticket vouches for identity of requester of service. Active Directory = Kerberos + LDAP CSC 482/582: Computer Security

25 Ticket Granting Service
Requirement: Users only enter password once. User u authenticates to Kerberos server. Gets ticket Tu,TGS for ticket granting service (TGS) Requirement: Users don’t send password over net. Diagrams from O’Reilly’s Kerberos: The Definitive Guide CSC 482/582: Computer Security

26 Service Tickets Procedure for a user u to use service s:
User sends authenticator Au, ticket Tu,TGS to TGS asking for ticket for service. TGS sends ticket Tu,s to user. User sends Au, Tu,s to server as request to use s. CSC 482/582: Computer Security

27 Tu,s = s || { u || u’s address || valid time || ku,s } ks
Ticket Details Credential saying issuer has identified requester. Example ticket issued to user u for service s Tu,s = s || { u || u’s address || valid time || ku,s } ks where: ku,s is session key for user and service. Valid time is interval for which ticket valid. u’s address may be IP address or something else. CSC 482/582: Computer Security

28 Au,s = { u || generation time || kt } ku,s
Authenticator Credential containing identity of sender of ticket. Contains username and session key to confirm sender is entity to which ticket was issued. Authenticator cannot be accessed without ticket, since data encrypted with ku,s. Authenticator user u generates for service s Au,s = { u || generation time || kt } ku,s where: kt is alternate session key. Time is when authenticator generated. CSC 482/582: Computer Security

29 Public Key Exchange Here interchange keys known Simple protocol
eA, eB Alice and Bob’s public keys known to all dA, dB Alice and Bob’s private keys known only to owner Simple protocol ks is desired session key. Alice Bob { ks } eB CSC 482/582: Computer Security

30 Problem and Solution Vulnerable to forgery or replay
Because eB known to anyone, Bob has no assurance that Alice sent message. Simple fix uses Alice’s private key ks is desired session key. Alice Bob { { ks } dA } eB CSC 482/582: Computer Security

31 Notes Can include message enciphered with ks
Assumes Bob has Alice’s public key, and vice versa If not, each must get it from public server. If keys not bound to identity of owner, attacker Eve can launch a man-in-the-middle attack (next slide; Cathy is public server providing public keys.) Solution: Public key infrastructure (PKI) CSC 482/582: Computer Security

32 Man-in-the-Middle Attack
Alice Cathy please send Bob’s public key Eve eB eE Bob { ks } eE { ks } eB Eve intercepts request Eve intercepts message CSC 482/582: Computer Security

33 Cryptographic Key Infrastructure
Solution: bind identity to key Classical: not possible as all keys are shared Use protocols to agree on a shared key (see earlier.) Public key: bind identity to public key Crucial as people will use key to communicate with principal whose identity is bound to key. Erroneous binding means no secrecy between principals. Assume principal identified by an acceptable name. CSC 482/582: Computer Security

34 Certificates Create token (message) containing:
Identity of principal (here, Alice) Corresponding public key Timestamp (when issued) Other information (perhaps identity of signer) signed by trusted authority (Cathy.) CA = { eA || Alice || T } dC CSC 482/582: Computer Security

35 Use Bob downloads Alice’s certificate
If he knows Cathy’s public key, he can decipher the certificate When was certificate issued? Is the principal Alice? Now Bob has Alice’s public key. Problem: Bob needs Cathy’s PK to validate cert. Problem pushed up a level. Solution: signature chains. CSC 482/582: Computer Security

36 Certificate Signature Chains
Create certificate: Generate hash of identification information of requester. Encipher hash with issuer’s private key. Validate Obtain issuer’s public key. Decipher enciphered hash. Recompute hash from certificate and compare. CSC 482/582: Computer Security

37 X.509 (SSL) Certificates Some certificate components in X.509v3:
Version Serial number Signature algorithm identifier: hash algorithm Issuer’s name; uniquely identifies issuer Interval of validity Subject’s name; uniquely identifies subject Subject’s public key Signature: enciphered hash CSC 482/582: Computer Security

38 X.509 Certificate Validation
Obtain issuer’s public key The one for the particular signature algorithm Decipher signature Gives hash of certificate Recompute hash from certificate and compare If they differ, there’s a problem Check interval of validity This confirms that certificate is current CSC 482/582: Computer Security

39 Issuers X<<Y>>
Certification Authority (CA): entity that issues certificates; Cathy, the trusted 3rd party Multiple issuers pose validation problem. Alice’s CA is Cathy; Bob’s CA is Don; how can Alice validate Bob’s certificate? Have Cathy and Don cross-certify Each issues certificate for the other CA. Notation: Certificate X issued for Y X<<Y>> CSC 482/582: Computer Security

40 Validation and Cross-Certifying
Certificates: Cathy<<Alice>> Dan<<Bob>> Cathy<<Dan>> Dan<<Cathy>> Alice validates Bob’s certificate: Alice obtains Cathy<<Dan>> Alice uses (known) public key of Cathy to validate Cathy<<Dan>> Alice uses Cathy<<Dan>> to validate Dan<<Bob>> CSC 482/582: Computer Security

41 PGP Chains OpenPGP certificates verified via “web of trust”
No hierarchy of CAs to follow like SSL certificates Certificates can be signed by multiple parties OpenPGP certificates structured into packets: One public key packet. Zero or more signature packets. CSC 482/582: Computer Security

42 Signing Single certificate may have multiple signatures.
Notion of “trust” embedded in each signature Range from “untrusted” to “ultimate trust.” Signer defines meaning of trust level (no standards!) All version 4 keys signed by subject Called “self-signing.” CSC 482/582: Computer Security

43 Validating Certificates
Alice needs to validate Bob’s OpenPGP cert !: Fred,Giselle,Ellen. Alice gets Giselle’s cert Knows Henry slightly, but signature at “casual” trust. Alice gets Ellen’s cert Knows Jack, so uses his cert to validate Ellen’s, then hers to validate Bob’s. Jack<<Ellen>>Ellen<<Bob>> Arrows show signatures Self signatures not shown Bob Fred Giselle Ellen Irene Henry Jack CSC 482/582: Computer Security

44 Storing Keys Multi-user or networked systems: attackers may defeat access control mechanisms. Encipher file containing key. Attacker can monitor keystrokes to decipher files Key will be resident in memory. Use physical devices like “smart card.” Smart card performs encryption. Computer transfers plaintext to card. Card transfers ciphertext to computer. Card can be stolen, split key between two devices. CSC 482/582: Computer Security

45 Key Revocation Certificates invalidated before expiration Problems
Usually due to compromised key. May be due to change in circumstance (e.g., someone leaving company.) Problems Is entity revoking certificate authorized to do so? Can revocation information circulates to everyone quickly enough to avoid a compromise? CSC 482/582: Computer Security

46 CRLs A Certificate revocation list lists certificates that are revoked, with their IDs and revocation dates. X.509: only issuer can revoke certificate. PGP: signers can revoke signatures; owners can revoke certificates, or allow others to do so. Revocation message placed in PGP packet and signed. Flag marks it as revocation message. CSC 482/582: Computer Security

47 Digital Signature Construct that authenticates origin & contents of message in a manner provable to a disinterested third party (“judge.”) Nonrepudiatable Sender cannot deny having sent message. Proves that sender’s key was used to sign message. What if you claim key was stolen/compromised? Court would have to decide. CSC 482/582: Computer Security

48 Signing and Verification

49 Key Points Key management critical to effective use of cryptosystems.
Different levels of keys (session vs. interchange.) Use of nonces, sequence numbers, times to avoid replay attacks. Keys require an infrastructure to identify holders and allow revocation. SSL certificates verified with hierarchy of CAs. PGP certificates verified via web of trust. Digital signatures: integrity of origin and content. Signature is hash of signed document that is encrypted with signer’s private key. CSC 482/582: Computer Security

50 References Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2005. Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone, Handbook of Applied Cryptography, CRC Press, 1996. Bruce Schneier, Applied Cryptography, 2nd edition, Wiley, 1996. John Viega and Gary McGraw, Building Secure Software, Addison-Wesley, 2002. CSC 482/582: Computer Security

51 Extra Slides CSC 482/582: Computer Security

52 Key Escrow Key escrow system allows authorized third party to recover cryptographic keys. Useful when keys belong to roles, such as system operator, rather than individuals. Business: recovery of backup keys. Law enforcement: recovery of keys that authorized parties require access to. Goal: provide escrow w/o weakening cryptosystem Very controversial. CSC 482/582: Computer Security

53 Desirable Properties Escrow system should not depend on encipherment algorithm. Privacy protection mechanisms must work from end to end and be part of user interface. Requirements map to key exchange protocol. System supporting key escrow must require all parties to authenticate themselves. If message to be observable for limited time, key escrow system must ensure keys valid for only that time period. CSC 482/582: Computer Security

54 Components User security component Key escrow component.
Does the encripherment, decipherment. Supports the key escrow component. Key escrow component. Manages storage, use of data recovery keys. Data recovery component. Does key recovery. CSC 482/582: Computer Security

55 Example: EES, Clipper Chip
Escrow Encryption Standard Set of interlocking components. Designed to balance need for law enforcement access to enciphered traffic with citizens’ right to privacy. Clipper chip prepares per-message escrow information Each chip numbered uniquely by UID. Special facility programs chip. Key Escrow Decrypt Processor (KEDP) Available to agencies authorized to read messages. CSC 482/582: Computer Security

56 User Security Component
Unique device key kunique Nonunique family key kfamily Cipher: Skipjack Classical cipher: 80 bit key, 64 bit I/O blocks Generates Law Enforcement Access Field (LEAF) of 128 bits: { UID || { ksession } kunique || hash } kfamily hash: 16 bit authenticator from session key and initialization vector. CSC 482/582: Computer Security

57 Programming User Components
Done in a secure facility Two escrow agencies needed Agents from each present Each supplies a random seed and key number Family key components combined to get kfamily Key numbers combined to make key component enciphering key kcomp Random seeds mixed with other data to produce sequence of unique keys kunique Each chip imprinted with UID, kunique, kfamily CSC 482/582: Computer Security

58 The Escrow Components During initialization of user security component, process creates ku1 and ku2 where kunique = ku1  ku2 First escrow agency gets { ku1 } kcomp Second escrow agency gets { ku2 } kcomp CSC 482/582: Computer Security

59 Obtaining Access Alice obtains legal authorization to read message.
She runs message LEAF through KEDP LEAF is { UID || { ksession } kunique || hash } kfamily KEDP uses (known) kfamily to validate LEAF, obtain sending device’s UID. Authorization, LEAF taken to escrow agencies. CSC 482/582: Computer Security

60 Agencies’ Role Each validates authorization.
Each supplies { kui } kcomp, corresponding key number. KEDP takes these and LEAF: Key numbers produce kcomp kcomp produces ku1 and ku2 ku1 and ku2 produce kunique kunique and LEAF produce ksession CSC 482/582: Computer Security

61 Would you trust Clipper?
Do you think your messages would be private under Clipper? Do you think law enforcement should have access to all cryptographic keys? CSC 482/582: Computer Security

62 Problems hash too short Does not meet temporal requirement
LEAF 128 bits, so given a hash: 2112 LEAFs show this as a valid hash 1 has actual session key, UID Takes about 42 minutes to generate a LEAF with a valid hash but meaningless session key and UID; in fact, deployed devices would prevent this attack. Does not meet temporal requirement As kunique fixed for each unit, once message is read, any future messages can be read. CSC 482/582: Computer Security

Download ppt "CSC 482/582: Computer Security"

Similar presentations

Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
Csci5233 Computer Security1 Bishop: Chapter 10 (Cont.) Key Management: Certificates.

Csci5233 Computer Security1 Bishop: Chapter 10 (Cont.) Key Management: Certificates.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)

CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #9-1 Chapter 9: Key Management Session and Interchange Keys Key Exchange Cryptographic.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #9-1 Chapter 9: Key Management Session and Interchange Keys Key Exchange Cryptographic.
1 Digital Signatures CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 12, 2004.

1 Digital Signatures CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 12, 2004.
Chapter 9: Key Management

Chapter 9: Key Management
1 Key Management CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 1, 2004.

1 Key Management CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 1, 2004.
Computer Security1 Bishop: Chapter 9 Key Management.

Computer Security1 Bishop: Chapter 9 Key Management.
Slide #9-1 Chapter 9: Key Management Session and Interchange Keys Key Exchange Cryptographic Key Infrastructure Storing and Revoking Keys Digital Signatures.

Slide #9-1 Chapter 9: Key Management Session and Interchange Keys Key Exchange Cryptographic Key Infrastructure Storing and Revoking Keys Digital Signatures.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Computer Science Public Key Management Lecture 5.

Computer Science Public Key Management Lecture 5.
Csci5233 Computer Security1 Bishop: Chapter 10 Key Management: Digital Signature.

Csci5233 Computer Security1 Bishop: Chapter 10 Key Management: Digital Signature.
Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Csci5233 Computer Security1 Bishop: Chapter 10 (Cont.) Key Management: Storage & Revoking.

Csci5233 Computer Security1 Bishop: Chapter 10 (Cont.) Key Management: Storage & Revoking.
Digital Signatures. Public Key Cryptography Public Key Cryptography Requirements 1.It must be computationally easy to encipher or decipher a message.

Digital Signatures. Public Key Cryptography Public Key Cryptography Requirements 1.It must be computationally easy to encipher or decipher a message.

Similar presentations

Ads by Google