Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 10: Mediated Authentication

Published byGisselle Sheerer Modified over 10 years ago

Similar presentations

Presentation on theme: "Lecture 10: Mediated Authentication"— Presentation transcript:

1 Lecture 10: Mediated Authentication
simple algorithm Needham-Schroeder simple expanded Otway-Rees nonce types

2 Establishing Session Key
Alice, Bob KB{Alice, KAB} KDC KA{Bob, KAB} Alice Bob problem (besides others): Bob will not know how to decrypt a message from Alice if message from KDC is late establishing connection KDC <-> Bob is (somewhat) expensive

3 Establishing Session Key (variant)
Alice, Bob KA{Bob, KAB}, ticketB where ticketB= KB{Alice, KAB} KDC Alice Bob Alice, ticketB Problems: no authentication between Alice and Bob no freshness guarantee for KAB (what if Alice reuses the ticket?)

4 Needham-Schroeder Protocol Outline
N1, Alice, Bob KA{N1, Bob, KAB, ticketB} where ticketB= KB{KAB, Alice} KDC ticketB, KAB{N2} Alice Bob KAB{N2-1, N3} KAB{N3-1}

5 Needham-Schroeder Protocol Explained
N1 is for KDC authentication to ensure freshness of KAB attack (without nonce): Trudy stole KAB from Bob and records old KDC’s reply to Alice; Trudy waits for a new request to KDC form Alice to talk to Bob and plays back old KDC’s reply impersonating KDC Reply from KDC strings “Bob” and “Alice” disallows Trudy tampering with messages and hijacking the conversation N2, N3: for key confirmation and mutual authentication (minor) issue: ticket is unnecessarily doubly encrypted in message from KDC

6 Needham-Schroeder: Reflection Attacks
If message integrity is vulnerable (for example with ECB), reflection attack is possible replay ticketB, KAB{N2} KAB{N2-1, N3} Trudy can separate KAB{N2-1} and KAB {N3} Trudy Bob KAB{N3-1} ticketB, KAB{N3} BTW, why are N2 and N3 encrypted at all in N-S? otherwise reflection attack is even easier Trudy Bob KAB{N3-1, N4} BTW, why are N2 and N3 encrypted at all in N-S?

7 Expanded Needham-Schroeder
in standard N-S, Bob doesn’t have freshness guarantee for KAB (i.e., can’t detect replays) to fix – get a nonce form Bob hello KB{NB} N1, Alice, Bob, KB{NB} KA{N1, Bob, KAB, ticketB} where ticketB= KB{KAB, Alice, NB} KDC Alice Bob ticketB, KAB{N2} KAB{N2-1, N3} KAB{N3-1}

8 Otway-Rees Protocol Outline
NC, “Alice”, “Bob”, KA{NA, NC, “Alice”, “Bob”} KA{NA, NC, “Alice”, “Bob”} KB{NB, NC, “Alice”, “Bob”} KDC NC, KA{NA, KAB}, KB{NB, KAB} Alice Bob KA{NA, KAB} KAB{anything recognizable}

9 Otway-Rees Protocol Explained
NA, NB: Provides freshness guarantee for A & B, as well as authentication of KDC. NC: To bind Alice, Bob, and the session. having separate NA and NC is not necessary for security, though it’s good for functional separation of nonces and uniformity of KDC messages.

10 Nonce Types nonce: a quantity which any given user of a protocol uses only once (a quantity which is guaranteed fresh) nonce types: sequence numbers need to keep state, what if Trudy can induce crashes (DoS attack?) timestamps need synchronized clocks random numbers freshness guarantee is only probabilistic but if number is large it is good enough unpredictable

11 Value of Unpredictability for Nonces
I’m Alice KAB{R} Alice Bob R recall the one one-way authentication alg is there a problem if R is a sequence number? what if Alice sends the plaintext challenge first and Alice replies with encrypted challenge? what if timestamps are used for challenges? is there a problem if R is a sequence number? yes, Trudy can eavesdrop on previous session and predict R what if Bob sends encrypted challenge first? still a problem: Trudy can predict what the next challenge from Bob will be, request Alice to encrypt it and impersonate Alice to Bob what if timestamps are used for challenges? still a problem if timestamp granularity is low (seconds?) – trudy can attempt to guess a timestamp

Download ppt "Lecture 10: Mediated Authentication"

Similar presentations

Modelling and Analysing Security Protocol: Lecture 4 Attacks and Principles Tom Chothia CWI.

Modelling and Analysing Security Protocol: Lecture 4 Attacks and Principles Tom Chothia CWI.
AUTHENTICATION AND KEY DISTRIBUTION

AUTHENTICATION AND KEY DISTRIBUTION
COEN 350 Kerberos.

COEN 350 Kerberos.
CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.
Chapter 10 Real world security protocols

Chapter 10 Real world security protocols
Efficient Kerberized Multicast Olga Kornievskaia University of Michigan Giovanni Di Crescenzo Telcordia Technologies.

Efficient Kerberized Multicast Olga Kornievskaia University of Michigan Giovanni Di Crescenzo Telcordia Technologies.
SCSC 455 Computer Security

SCSC 455 Computer Security
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Akshat Sharma Samarth Shah

Akshat Sharma Samarth Shah
COS 461 Fall 1997 Todays Lecture u intro to security in networking –confidentiality –integrity –authentication –authorization u orientation for assignment.

COS 461 Fall 1997 Todays Lecture u intro to security in networking –confidentiality –integrity –authentication –authorization u orientation for assignment.
CNS2010handout 12 :: crypto protocols1 ELEC5616 computer and network security matt barrie

CNS2010handout 12 :: crypto protocols1 ELEC5616 computer and network security matt barrie
CSC 474 Information Systems Security

CSC 474 Information Systems Security
Handshake Protocols COEN 350. Simple Protocol Alice: Hi, I am Alice. My password is “fiddlesticks”. Bob: Welcome, Alice.

Handshake Protocols COEN 350. Simple Protocol Alice: Hi, I am Alice. My password is “fiddlesticks”. Bob: Welcome, Alice.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.

1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
CS470, A.SelcukNeedham-Schroeder1 Needham-Schroeder Protocol Authentication & Key Establishment CS 470 Introduction to Applied Cryptography Instructor:

CS470, A.SelcukNeedham-Schroeder1 Needham-Schroeder Protocol Authentication & Key Establishment CS 470 Introduction to Applied Cryptography Instructor:

Similar presentations

Ads by Google