Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Security Tutorial-14 Design Fundamentals IPSEC, KERBEROS

Published byGermán Nieto Molina Modified over 5 years ago

Similar presentations

Presentation on theme: "Network Security Tutorial-14 Design Fundamentals IPSEC, KERBEROS"— Presentation transcript:

1 Network Security Tutorial-14 Design Fundamentals IPSEC, KERBEROS
ET-IDA-082 Tutorial-14 IPSEC, KERBEROS , v4 Prof. W. Adi

2 IPSec problem : Users A and B are using a simplified IPSEC IKE system in aggressive mode according to Fig. 1. Assuming that : A=1, B=0, CP=5, IC= 0, RC=1, a= 21, b= 17, RA= 4, RB= 7 (| stands for concatenation) Design a Diffie-Hellmann key exchange system over GF(25) using p(x) = x5 + x4 + x3 + x + 1 as a field modulus assuming that the secret keys for users A and B are a=21, b=17 respectively. Compute a primitive element g and the common key gab as a binary vector in GF(25). Compute the common session key as K = h(IC|RC|(gab mod p(x))|RA|RB) Assuming the hash function h is defined as the least significant digit of x2 mod 97 that is: h(x) = (x2 mod 97 ) mod 10 (see also all parameters on Fig 1.) (show all necessary computations) 3. Compute SKEYID. SKEYID = h(RA| RB|(gab mod p(x))) . (Show all necessary computations in your solution!) 4. Compute the signature of B assuming the proof to be a secret key signature by double hashing as follows: proofB = h [ h(SKEYID |gab |IC|RC|CP|“Bob”) |KBob] , where KBob =9 is a secret signing key of Bob appended to the hash value.

3 IKE Phase 1: Public Key Signature (Aggressive Mode)
User A Alice User B Bob IC, “Alice”, ga mod p, RA, CP IC,RC, “Bob”, RB, gb mod p, CS, proofB IC,RC, proofA Session key= K DHGF= Diffie-Hellman Key exchange over GF(25) p(x) = x5 + x4 + x3 + x + 1 as field modulus, Xa=21, Xb=17 CP = 5=crypto proposed CS = crypto selected = 1 IC = initiator “cookie” = 0 RC = responder “cookie”= 1 Alice = 1 , RA= 4, Bob = , RB= 7 K = h(IC|RC|gab mod p(x)|RA|RB) Assume h(X) = X2 mod 97 mod 10 SKEYID = h(RA| RB|gab mod p(x)) proofA = h [ h(SKEYID |gab|IC|RC|CP|“Alice”) |KAlice] proofB = h [ h(SKEYID |gab|IC|RC|CP|“Bob”) |KBob] Fig. 1

4 p(x) = x5 + x4 + x3 + x + 1 = 0 => x5 = x4 + x3 + x + 1
IPSec problem solution: DH setup: User A: a= 21 , b = g21 =( x21) = = x16 . x5 = (x4 + x3 )(x4 + x3 + x + 1) = 1 + x4 = 10001 Public directory User B: Xb= 17 , Yb = g17 =( x17) = x16. x = x5 + x4 = x3 + x + 1 = 01011 p(x) = x5 + x4 + x3 + x + 1 in GF(25) g=x : primitive element Ya = 10001 Yb = 25-1=31 is a prime number, all non-zero and not 1 elements have order 31, element 1 has order =1, => x is a primitive element p(x) = x5 + x4 + x3 + x + 1 = => x5 = x4 + x3 + x + 1 x1 = x x2 = x2 x3 = x3 x4 = x4 x5 = x4 + x3 + x + 1 x6 = x5 + x4 + x2 + x = x4 + x3 + x x4 + x2 + x = x3 + x2 + 1 x7 = x4 + x3 + x x8 = x5 + x4 + x2 = x4 + x3 + x x4 + x2 = x3 + x2 + x + 1 = 01111 X16 =( x8)2 = x6 + x4 + x = x3 + x x4 + x = x4 + x3 = = (24) 10 gab = ( (x21 )17) mod 31 = x357 mod 31 = x16 = x4 + x3 = = (24) 10

5 SKEYID = h(RA, RB, gab mod p(x)) = ((4 7 24)2 mod 97) mod 10= 5
Session Key computation: K = h(IC|RC|(gab mod p(x))|RA|RB) = ((012447)2 mod 97 )mod 10=8 Where h(X) = (X2 mod 97) mod 10 3. SKEYID computation: SKEYID = h(RA, RB, gab mod p(x)) = ((4 7 24)2 mod 97) mod 10= 5 4. Computing proofB: proofB = h [ h(SKEYID |gab|IC|RC|CP|“Bob”) |KBob] proofB= h[(( )2 mod 97) mod10] = h[2 |KBob] = ((2 9)2 mod 97) mod10 = 5

6 IKE Phase 1: Public Key Signature (Aggressive Mode)
User A Alice User B Bob 0, 1, x21 mod p(x), 4, 5 0,1, 0, 7, x17 mod p(x), 1, 5 IC,RC, proofA CP = 5=crypto proposed CS = crypto selected = 1 IC = initiator “cookie” = 0 RC = responder “cookie”= 1 Alice = 1 , RA= 4, Bob = , RB= 7 DHGF= Diffie-Hellman Key exchange over GF(25) p(x) = x5 + x4 + x3 + x + 1 as field modulus, Xa=21, Xb=17 Fig. 2

7 KERBEROS problem : A KERBEROS system is set up as shown in Fig. 3
The used hash function is : h(x) = x3 mod 41 The adopted encryption function is: Y = E(X,K) = X · K mod 53 Notice: split your encrypted blocks when necessary such that the system becomes operational!! Compute KA and TGT. Compute the number of possible key choices for KKDC. Compute the KDC response Res Decrypt Res on Alice side Compute Alice’s REQUEST Compute KB and KDC REPLY to Alice including the ticket to Bob Compute AuthenticatorA to Bob and decrypt ticket to Bob on Bob’s side Compute ResB on B side and verify it at A side How secure is the proposed system? Is it possible for KDC to encrypt TGT such that TGT becomes perfectly secure (impossible to break)? Why? If possible, how to do that by using the above adopted encryption function? MH: Unterscheidet sich der Font auf dieser Folie absichtlich von den anderen?

8 Step 1: Kerberized Login (Ticket Granting Ticket : TGT )
Alice wants a TGT Alice’s Password Alice’s Secret key KA = h(PasswordA) Res = E(SA|TGT, KA) Alice Computer KDC h(x) = x3 mod 41 TGT = E(“Alice”|SA, KKDC) KDC proposed session key SA= 8 PasswordA = 7, PasswordB= 9 KKDC= 22 Alice = 1, Bob= 2 (TGT= Ticket Granting Ticket), E(X,Y,Z, K) means data XYZ are encrypted using the key K Encryption function E: Y = E(X,K) = X · K mod 53 MH: Unterscheidet sich der Font auf dieser Folie absichtlich von den anderen? Fig. 3

9 Step 2: Alice Requests Ticket to Bob
I want to talk to Bob Talk to Bob REQUEST Alice REPLY Computer KDC REQUEST = (TGT, authenticator), where authenticator = E(timestamp, SA) REPLY = E(“Bob”|KAB| ticket to Bob, SA) ticket to Bob = E(“Alice”|KAB, KB) generated by KDC Step 3: Alice sends Ticket to Bob, establish link Timestamp = 9, proposed KAB= 6 ticket to Bob = E(“Alice”|KAB, KB), authenticatorA = E(timestamp, KAB) ResB = E(timestamp + 1,KAB) Bob (Knows KB) Secured link: (KAB = 6) Alice’s Computer Fig. 4

10 2. Number of possible key choices for KKDC.
KA = h(7) = 73 mod 41 = 343 mod 41= 15 TGT = E(“Alice” | SA, KKDC) = E( 1 | 8 , 22) = (18 * 22) mod 53 = 396 mod 53 = 25 2. Number of possible key choices for KKDC. # possible keys for KDC = φ(53) = 52 3.Res = E(SA|TGT, KA) = E(8|25, 15) = E(8,15) | E(25,15) = 8x15 mod 53 | 25x15 mod 5 = 120 mod 53 | 375 mod 53 = 14 | 4 4. Decryption of Res on Alice side Res = 14 | 4 Decryption of Res = D( Res , KA-1 ) = D( 14 | 4 , KA-1 ) = (14 x 46 mod 53 | 4 x 46 mod 53) = 8 | 25 = SA | TGT KA-1 mod 53 = 15-1 mod 53 = -7 mod 53 = = 46

11 5. Computing Alice’s REQUEST
REQUEST = (TGT, authenticator) authenticator = E (timestamp, SA ) = E(9, 8) = 9 x 8 mod 53 = 72 mod 53 = 19 REQUEST = (TGT, authenticator) = (25 , 19) 6. Computing KB and KDC REPLY to Alice including the ticket to Bob KB = h(PasswordB) = h(93) mod 41 = 729 mod 41 = 32 Ticket to Bob = E(“Alice”|KAB, KB) generated by KDC = E(1|6 , 32) = mod 53 = 512 mod 53 = 35 REPLY = E(“Bob”|KAB| ticket to Bob, SA) = E( 2 | 6 | 35 , 8 ) = E( 26 , 8 )| E( 35 , 8 ) = mod 53 | mod 53 = 208 mod 53 | 280 mod 53 = 49 | 15

12 7. In Fig. 3 Compute AuthenticatorA to Bob and decrypt ticket to Bob on Bob’s side
AuthenticatorA = E(timestamp, KAB) = E(9,6) = mod 53 = 54 mod 53 = 1 KB-1 mod 53 = 5 Ticket to bob = 35 Decrypt on Bob‘s side = D(Ticket to bob , KB-1) = D(35,5) = 35 x 5 mod 53 = 175 mod 53 = 16 = 1|6 = „Alice“ | KAB

13 8. In Fig. 3 compute ResB on B side and Verify it at A side
ResB = E(timesatamp+1, KAB) = E(9+1, 6) = mod 53 = 60 mod53 = 7 KAB-1 mod 53 = 9 D(ResB , KAB-1 ) = E(ResB,KAB-1) = E(7,9) = mod 53 = 63 mod 53 = 10 = timestamp +1

14 Basically not secure as knowing one clear-text/cipher-text pair would allow computing the secret key K. As follows: K = X-1 . Y mod 53. As 53 is a prime , any non-zero X is invertible modulo 53. The hash function using x3 mod 41 could be invertible if the cube root in GF(41) is computable. However, if the key K is not repeatedly used, then the cipher is equivalent to Vernam cipher over the multiplicative group of GF(53), as 53 is a prime and hence the cipher usage becomes unconditionally secure. 10. Yes, if the KDC do not repeat using the same encryption key KkDC for creating TGT. As 53 is a prime and the system is operating in the multiplicative group of GF(53). Therefore KDC would be using a Vernam-cipher-equivalent scheme. This makes TGT unconditionally secure. KDC should not repeat the usage of any key !!

15 Alice wants Alice Fig. 5 Fig. 6 a TGT = 25 KDC Computer
Alice’s Password Alice wants Alice’s Secret key KA = 15 a TGT = 25 Res = 14 | 4 KDC Computer Fig. 5 Alice Talk to Bob I want to talk to Bob REQUEST = (25,19) REPLY=49 |15 KDC Computer ticket to Bob = 35, authenticatorA = 1 ResB = 7 Alice’s Computer Bob (Knows KB) KAB = 6 Fig. 6

Download ppt "Network Security Tutorial-14 Design Fundamentals IPSEC, KERBEROS"

Similar presentations

Chapter 10 Real world security protocols

Chapter 10 Real world security protocols
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
IPsec – IKE CS 470 Introduction to Applied Cryptography

IPsec – IKE CS 470 Introduction to Applied Cryptography
Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.

Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
ElGamal Public Key Cryptography CS 303 Alg. Number Theory & Cryptography Jeremy Johnson Taher ElGamal, A Public-Key Cryptosystem and a Signature Scheme.

ElGamal Public Key Cryptography CS 303 Alg. Number Theory & Cryptography Jeremy Johnson Taher ElGamal, "A Public-Key Cryptosystem and a Signature Scheme.
Lecture 14 ISAKMP / IKE Internet Security Association and Key Management Protocol / Internet Key Exchange CIS 4362 - CIS 5357 Network Security.

Lecture 14 ISAKMP / IKE Internet Security Association and Key Management Protocol / Internet Key Exchange CIS CIS 5357 Network Security.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
1 Lecture 16: IPsec IKE history of IKE Photurus IKE phases –phase 1 aggressive mode main mode –phase 2.

1 Lecture 16: IPsec IKE history of IKE Photurus IKE phases –phase 1 aggressive mode main mode –phase 2.
Cryptography and Network Security Chapter 10 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 10 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
1 Chapter 10: Key Management in Public key cryptosystems Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Modified by Prof. M. Singhal,

1 Chapter 10: Key Management in Public key cryptosystems Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Modified by Prof. M. Singhal,
Diffie-Hellman Key Exchange first public-key type scheme proposed by Diffie & Hellman in 1976 along with the exposition of public key concepts – note:

Diffie-Hellman Key Exchange first public-key type scheme proposed by Diffie & Hellman in 1976 along with the exposition of public key concepts – note:
Page : 1 Date : 31.08. 2013 Duration : 90 Minutes Maximum marks 70% Vorname ……………………………………….. Nachname ……………………………………….. Matrikel-Nr. ………………………………………..

Page : 1 Date : Duration : 90 Minutes Maximum marks 70% Vorname ……………………………………….. Nachname ……………………………………….. Matrikel-Nr. ………………………………………..
Public-Key Cryptography ElGamal Public-Key Crypto-System

Public-Key Cryptography ElGamal Public-Key Crypto-System
Chapter 5 Network Security Protocols in Practice Part I

Chapter 5 Network Security Protocols in Practice Part I
Network Security Netzwerksicherheit Lecture ID: ET-IDA-082 and 111

Network Security Netzwerksicherheit Lecture ID: ET-IDA-082 and 111
최신정보보호기술 경일대학교 사이버보안학과 김 현성.

최신정보보호기술 경일대학교 사이버보안학과 김 현성.
Reviews Rocky K. C. Chang 20 April 2007.

Reviews Rocky K. C. Chang 20 April 2007.
Outline Primitive Element Theorem Diffie Hellman Key Distribution

Outline Primitive Element Theorem Diffie Hellman Key Distribution

Similar presentations

Ads by Google