Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authentication Protocols

Published byἈνδρομάχη Ανδρεάδης Modified over 6 years ago

Similar presentations

Presentation on theme: "Authentication Protocols"— Presentation transcript:

1 Authentication Protocols
used to convince parties of each others identity and to exchange session keys may be one-way or mutual key issues are confidentiality – to protect session keys timeliness – to prevent replay attacks published protocols are often found to have flaws and need to be modified Authentication Protocols are used to convince parties of each others identity and to exchange session keys. They may be one-way or mutual. Central to the problem of authenticated key exchange are two issues: confidentiality and timeliness. To prevent masquerade and to prevent compromise of session keys, essential identification and session key information must be communicated in encrypted form. This requires the prior existence of secret or public keys that can be used for this purpose. The second issue, timeliness, is important because of the threat of message replays. Stallings discusses a number of protocols that appeared secure but were revised after additional analysis. These examples highlight the difficulty of getting things right in the area of authentication. NITT Dept. of CSE

2 Replay Attacks where a valid signed message is copied and later resent
simple replay repetition that can be logged repetition that cannot be detected backward replay without modification countermeasures include use of sequence numbers (generally impractical) timestamps (needs synchronized clocks) challenge/response (using unique nonce) Replay Attacks are where a valid signed message is copied and later resent. Such replays, at worst, could allow an opponent to compromise a session key or successfully impersonate another party. At minimum, a successful replay can disrupt operations by presenting parties with messages that appear genuine but are not. [GONG93] lists the examples above of replay attacks. Possible countermeasures include the use of: • sequence numbers (generally impractical since must remember last number used with every communicating party) • timestamps (needs synchronized clocks amongst all parties involved, which can be problematic) • challenge/response (using unique, random, unpredictable nonce, but not suitable for connectionless applications because of handshake overhead) NITT Dept. of CSE

3 Using Symmetric Encryption
as discussed previously can use a two-level hierarchy of keys usually with a trusted Key Distribution Center (KDC) each party shares own master key with KDC KDC generates session keys used for connections between parties master keys used to distribute these to them A two-level hierarchy of symmetric encryption keys can be used to provide confidentiality for communication in a distributed environment. Usually involves the use of a trusted key distribution center (KDC). Each party in the network shares a secret master key with the KDC. The KDC is responsible for generating session keys, and for distributing those keys to the parties involved, using the master keys to protect these session keys. NITT Dept. of CSE

4 Needham-Schroeder Protocol
original third-party key distribution protocol for session between A B mediated by KDC protocol overview is: 1. A->KDC: IDA || IDB || N1 2. KDC -> A: EKa[Ks || IDB || N1 || EKb[Ks||IDA] ] 3. A -> B: EKb[Ks||IDA] 4. B -> A: EKs[N2] 5. A -> B: EKs[f(N2)] The Needham-Schroeder Protocol is the original, basic key exchange protocol. Used by 2 parties who both trusted a common key server, it gives one party the info needed to establish a session key with the other. Note that since the key server chooses the session key, it is capable of reading/forging any messages between A&B, which is why they need to trust it absolutely! Note that all communications is between A&KDC and A&B, B&KDC don't talk directly (though indirectly a message passes from KDC via A to B, encrypted in B's key so that A is unable to read or alter it). Other variations of key distribution protocols can involve direct communications between B&KDC. NITT Dept. of CSE

5 Needham-Schroeder Protocol
used to securely distribute a new session key for communications between A & B but is vulnerable to a replay attack if an old session key has been compromised then message 3 can be resent convincing B that is communicating with A modifications to address this require: timestamps (Denning 81) using an extra nonce (Neuman 93) There is a critical flaw in the protocol, as shown. It can be corrected by either using timestamps, or an additional nonce, with respective advantages and limitations. This example emphasises the need to be extremely careful in codifying assumptions, and tracking the timeliness of the flow of info in protocols. Designing secure protocols is not easy, and should not be done lightly. Great care and analysis is needed. NITT Dept. of CSE

6 Denning Protocol NITT Dept. of CSE

7 Neuman Protocol NITT Dept. of CSE

8 Using Public-Key Encryption
have a range of approaches based on the use of public-key encryption need to ensure have correct public keys for other parties using a central Authentication Server (AS) various protocols exist using timestamps or nonces Have a range of approaches based on the use of public-key encryption, which generally assume that each of the two parties is in possession of the current public key of the other. The central system is known as an Authentication Server (AS). Have various protocols using timestamps or nonces, and again flaws were found in a number of the original proposals. See text for details. NITT Dept. of CSE

9 Denning AS Protocol Denning 81 presented the following:
1. A -> AS: IDA || IDB 2. AS -> A: EPRas[IDA||PUa||T] || EPRas[IDB||PUb||T] 3. A -> B: EPRas[IDA||PUa||T] || EPRas[IDB||PUb||T] || EPUb[EPRas[Ks||T]] note session key is chosen by A, hence AS need not be trusted to protect it timestamps prevent replay but require synchronized clocks A protocol using timestamps is provided in [DENN81] is shown above. The central authentication server (AS) only provides public-key certificates. The session key is chosen and encrypted by A; hence, there is no risk of exposure by the AS. The timestamps protect against replays of compromised keys. This protocol is compact but, as before, requires synchronization of clocks. NITT Dept. of CSE

10 Woo and Lam Protocol NITT Dept. of CSE

11 Revised Version Woo and Lam Protocol
NITT Dept. of CSE

12 One-Way Authentication
required when sender & receiver are not in communications at same time (eg. ) have header in clear so can be delivered by system may want contents of body protected & sender authenticated One application for which encryption is growing in popularity is electronic mail ( ). The very nature of electronic mail, and its chief benefit, is that it is not necessary for the sender and receiver to be online at the same time. Instead, the message is forwarded to the receiver’s electronic mailbox,where it is buffered until the receiver is available to read it. The “envelope” or header of the message must be in the clear so that the message can be handled by the store-and-forward protocol. However it is often desirable that message be encrypted such that the mail-handling system is not in possession of the decryption key. A second requirement is that of authentication, where the recipient wants some assurance that the message is from the alleged sender. One-Way Authentication addresses these requirements. NITT Dept. of CSE

13 Using Symmetric Encryption
can refine use of KDC but can’t have final exchange of nonces, vis: 1. A->KDC: IDA || IDB || N1 2. KDC -> A: EKa[Ks || IDB || N1 || EKb[Ks||IDA] ] 3. A -> B: EKb[Ks||IDA] || EKs[M] does not protect against replays could rely on timestamp in message, though delays make this problematic Using symmetric encryption, with some refinement, the KDC strategy is a candidate for encrypted electronic mail. Because we wish to avoid requiring that the recipient be on line at the same time as the sender, steps 4 and 5 must be eliminated, leaving the protocol as shown. This approach guarantees that only the intended recipient of a message will be able to read I, and also provides a level of authentication that the sender is A. As specified, the protocol does not protect against replays. You could rely on timestamp in the message, though delays make this problematic. NITT Dept. of CSE

14 Public-Key Approaches
have seen some public-key approaches if confidentiality is major concern, can use: A->B: EPUb[Ks] || EKs[M] has encrypted session key, encrypted message if authentication needed use a digital signature with a digital certificate: A->B: M || EPRa[H(M)] || EPRas[T||IDA||PUa] with message, signature, certificate Have already presented public-key encryption approaches that are suited to electronic mail, including the straight forward encryption of the entire message for confidentiality, authentication, or both. These approaches require that either the sender know the recipient’s public key (confidentiality) or the recipient know the sender’s public key (authentication) or both (confidentiality plus authentication). In addition, the public-key algorithm must be applied once or twice to what may be a long message. If confidentiality is the primary concern, then the message can be encrypted with a one-time secret key, which in in turn is encrypted with B’s public key. To achieve authentication, and to validate the senders public key, the signature can be encrypted with the recipient’s public key, and for assurance A’s public key is sent in a digital certificate, as shown. To obtain confidentiality as well, the message can be encrypted with a session key, combining both options above. NITT Dept. of CSE

15 Authentication Applications
NITT Dept. of CSE

16 Kerberos trusted key server system from MIT
provides centralised private-key third-party authentication in a distributed network allows users access to services distributed through network without needing to trust all workstations rather all trust a central authentication server two versions in use: 4 & 5 Kerberos is an authentication service developed as part of Project Athena at MIT, and is one of the best known and most widely implemented trusted third party key distribution systems. Kerberos provides a centralized authentication server whose function is to authenticate users to servers and servers to users. Unlike most other authentication schemes, Kerberos relies exclusively on symmetric encryption, making no use of public-key encryption. Two versions of Kerberos are in common use: v4 & v5. NITT Dept. of CSE

17 Kerberos Requirements
its first report identified requirements as: secure reliable transparent scalable implemented using an authentication protocol based on Needham-Schroeder The first published report on Kerberos [STEI88] listed the requirements shown above. To support these requirements, Kerberos is a trusted third-party authentication service that uses a protocol based on that proposed by Needham and Schroeder [NEED78], which was discussed in Chapter 7. NITT Dept. of CSE

18 Simple Authentication Dialogue
NITT Dept. of CSE

19 More Secure Authentication Dialogue
NITT Dept. of CSE

20 Kerberos v4 Overview a basic third-party authentication scheme
have an Authentication Server (AS) users initially negotiate with AS to identify self AS provides a non-corruptible authentication credential (ticket granting ticket TGT) have a Ticket Granting server (TGS) users subsequently request access to other services from TGS on basis of users TGT The core of Kerberos is the Authentication and Ticket Granting Servers – these are trusted by all users and servers and must be securely administered. The protocol includes a sequence of interactions between the client, AS, TGT and desired server. NITT Dept. of CSE

21 Kerberos v4 Dialogue obtain ticket granting ticket from AS
once per session obtain service granting ticket from TGT for each distinct service required client/server exchange to obtain service on every service request The full Kerberos v4 authentication dialogue is shown in Stallings Table 14.1, divided into the 3 phases shown above. The justification for each item in the messages is given in Stallings Table 14.2. NITT Dept. of CSE

22 Kerberos 4 Overview Stallings Figure 14.1 diagrammatically summarizes the Kerberos v4 authentication dialogue, with 3 pairs of messages, for each phase listed previously. NITT Dept. of CSE

23 Kerberos Realms a Kerberos environment consists of:
a Kerberos server a number of clients, all registered with server application servers, sharing keys with server this is termed a realm typically a single administrative domain if have multiple realms, their Kerberos servers must share keys and trust A full-service Kerberos environment consisting of a Kerberos server, a number of clients, and a number of application servers is referred to as a Kerberos realm. A Kerberos realm is a set of managed nodes that share the same Kerberos database, and are part of the same administrative domain. If have multiple realms, their Kerberos servers must share keys and trust each other. NITT Dept. of CSE

24 Kerberos Realms Stallings Figure 14.2 shows the authentication messages where service is being requested from another domain. The ticket presented to the remote server indicates the realm in which the user was originally authenticated. The server chooses whether to honor the remote request. One problem presented by the foregoing approach is that it does not scale well to many realms, as each pair of realms need to share a key. NITT Dept. of CSE

25 Kerberos Version 5 developed in mid 1990’s
specified as Internet standard RFC 1510 provides improvements over v4 addresses environmental shortcomings encryption alg, network protocol, byte order, ticket lifetime, authentication forwarding, interrealm auth and technical deficiencies double encryption, non-std mode of use, session keys, password attacks Kerberos Version 5 is specified in RFC 1510 and provides a number of improvements over version 4 in the areas of environmental shortcomings and technical deficiencies, in areas as noted. See Stallings Table 14.3 for details of the Kerberos v5 authentication dialogue. NITT Dept. of CSE

26 X.509 Authentication Service
part of CCITT X.500 directory service standards distributed servers maintaining user info database defines framework for authentication services directory may store public-key certificates with public key of user signed by certification authority also defines authentication protocols uses public-key crypto & digital signatures algorithms not standardised, but RSA recommended X.509 certificates are widely used X.509 is part of the X.500 series of recommendations that define a directory service, being a server or distributed set of servers that maintains a database of information about users. X.509 defines a framework for the provision of authentication services by the X.500 directory to its users. The directory may serve as a repository of public-key certificates. In addition, X.509 defines alternative authentication protocols based on the use of public-key certificates. X.509 is based on the use of public-key cryptography and digital signatures. The standard does not dictate the use of a specific algorithm but recommends RSA. The X.509 certificate format is widely used, in for example S/MIME, IP Security and SSL/TLS and SET. NITT Dept. of CSE

27 X.509 Certificates issued by a Certification Authority (CA), containing: version (1, 2, or 3) serial number (unique within CA) identifying certificate signature algorithm identifier issuer X.500 name (CA) period of validity (from - to dates) subject X.500 name (name of owner) subject public-key info (algorithm, parameters, key) issuer unique identifier (v2+) subject unique identifier (v2+) extension fields (v3) signature (of hash of all fields in certificate) notation CA<<A>> denotes certificate for A signed by CA The X.509 certificate is the heart of the standard. There are 3 versions, with successively more info in the certificate - must be v2 if either unique identifier field exists, must be v3 if any extensions are used. These user certificates are assumed to be created by some trusted certification authority (CA) and placed in the directory by the CA or by the user. The directory server itself is not responsible for the creation of public keys or for the certification function; it merely provides an easily accessible location for users to obtain certificates. The certificate includes the elements shown. The standard uses the notation for a certificate of: CA<<A>> where the CA signs the certificate for user A with its private key. NITT Dept. of CSE

28 X.509 Certificates Stallings Figure 14.4 shows the format of an X.509 certificate and CRL. NITT Dept. of CSE

29 Obtaining a Certificate
any user with access to CA can get any certificate from it only the CA can modify a certificate because cannot be forged, certificates can be placed in a public directory User certificates generated by a CA have the characteristics that any user with access to the public key of the CA can verify the user public key that was certified, and no party other than the certification authority can modify the certificate without this being detected. Because certificates are unforgeable, they can be placed in a directory without the need for the directory to make special efforts to protect them. NITT Dept. of CSE

30 CA Hierarchy if both users share a common CA then they are assumed to know its public key otherwise CA's must form a hierarchy use certificates linking members of hierarchy to validate other CA's each CA has certificates for clients (forward) and parent (backward) each client trusts parents certificates enable verification of any certificate from one CA by users of all other CAs in hierarchy If both parties use the same CA, they know its public key and can verify others certificates. If not, then there has to be some means to form a chain of certifications between the CA's used by the two parties, by the use of client and parent certificates. It is assumed that each client trusts its parents certificates. NITT Dept. of CSE

31 CA Hierarchy Use Stallings Figure 14.5 illustrates the use of an X.509 hierarchy to mutually verify clients certificates. Track chains of certificates: A acquires B certificate using chain: X<<W>>W<<V>>V<<Y>>Y<<Z>>Z<<B>> B acquires A certificate using chain: Z<<Y>>Y<<V>>V<<W>>W<<X>>X<<A>> NITT Dept. of CSE

32 Certificate Revocation
certificates have a period of validity may need to revoke before expiry, eg: user's private key is compromised user is no longer certified by this CA CA's certificate is compromised CA’s maintain list of revoked certificates the Certificate Revocation List (CRL) users should check certificates with CA’s CRL A certificate includes a period of validity. Typically a new certificate is issued just before the expiration of the old one. In addition, it may be desirable on occasion to revoke a certificate before it expires, for one of a range of reasons, such as those shown above. To support this, each CA must maintain a list consisting of all revoked but not expired certificates issued by that CA, known as the certificate revocation list (CRL). When a user receives a certificate in a message, the user must determine whether the certificate has been revoked, by checking the directory CRL each time a certificate is received, this often does not happen in practice. NITT Dept. of CSE

Download ppt "Authentication Protocols"

Similar presentations

Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi

Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Kerberos and X.509 Fourth Edition by William Stallings

Kerberos and X.509 Fourth Edition by William Stallings
CSCE 815 Network Security Lecture 10 KerberosX.509 February 13, 2003.

CSCE 815 Network Security Lecture 10 KerberosX.509 February 13, 2003.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
PIS: Unit III Digital Signature & Authentication Sanjay Rawat PIS Unit 3 Digital Sign Auth Sanjay Rawat1 Based on the slides of Lawrie.

PIS: Unit III Digital Signature & Authentication Sanjay Rawat PIS Unit 3 Digital Sign Auth Sanjay Rawat1 Based on the slides of Lawrie.
Cryptography and Network Security Chapter 14

Cryptography and Network Security Chapter 14
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Network Security Essentials Chapter 4

Network Security Essentials Chapter 4
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Cryptography and Network Security

Cryptography and Network Security
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.

Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.
AUTHENTICATION APPLICATIONS - Chapter 14 Kerberos X.509 Directory Authentication (S/MIME)

AUTHENTICATION APPLICATIONS - Chapter 14 Kerberos X.509 Directory Authentication (S/MIME)
Authentication & Kerberos

Authentication & Kerberos
Cryptography and Network Security Chapter 15 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 15 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography and Network Security Chapter 13 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 13 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

Similar presentations

Ads by Google