Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSE331: Introduction to Networks and Security Lectures 26 & 27 Fall 2002.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "CSE331: Introduction to Networks and Security Lectures 26 & 27 Fall 2002."— Presentation transcript:

1 CSE331: Introduction to Networks and Security Lectures 26 & 27 Fall 2002

2 CSE331 Fall 20022 Announcements Project 3 is due on Nov. 18 th

3 CSE331 Fall 20023 Primary Attacks Impersonation. Replay. Interleaving. Reflection. Forced delay. Chosen plaintext.

4 CSE331 Fall 20024 Primary Controls Replay: use of challenge-response techniques and embedding target identity in response. Interleaving: link messages in a run with chained nonces. Reflection: embed identifier of target party in challenge response, use asymmetric message formats, use uni-directional keys.

5 CSE331 Fall 20025 Primary Controls, continued Chosen text: embed self-chosen random numbers (“confounders”) in responses, use “zero knowledge” techniques. Forced delays: use random numbers with short timeouts, use timestamps with other techniques.

6 CSE331 Fall 20026 Multiple Use of Keys There are risks in using keys for multiple purposes. Using an RSA key for both entity authentication and signatures may allow a chosen-text attack. B attacker/verifier, rB=H(M) for some message M. –B -> A: rB –A -> B: B, EA(rB) –B(A) -> C: M, EA(H(M)) B, pretending to be A

7 CSE331 Fall 20027 Effective Control Notice how the protocol described earlier foils this. Here’s the protocol: –B -> A: rB –A -> B: rA, B, S A (rA, rB, B) Here’s what happens: –B -> A: rB –A -> B: rA, B, EA(rA, rB, B) –B(A) -> C: M, EA(rA, H(M), B) –C finds that EA(rA, H(M), B)  EA(H(M)) and rejects the signature.

8 CSE331 Fall 20028 Usurpation Attacks Identification protocols provide assurances corroborating the identity of an entity only at a given instant in time. Techniques to assure ongoing authenticity: –Periodic re-identification. –Tying identification to an ongoing integrity service. For example: key establishment and encryption.

9 CSE331 Fall 20029 Key Establishment Symmetric keys. –Point-to-Point. –Needham-Schroeder. –Kerberos. Asymmetric keys. –X.509 key establishment. –Attack example. –Station To Station (STS) protocol. –Bellovin-Merritt protocol.

10 CSE331 Fall 200210 Symmetric Keys Key establishment using only symmetric keys requires use of pre-distribution keys to get things going. These can be based on: –Point to point distribution, or –Key Distribution Center (KDC).

11 CSE331 Fall 200211 Point-to-Point Timestamp. –A -> B : E(K, (k, t, B)) Nonce. –B -> A : r –A -> B : E(K, (k, r, B)) Session Key ISO/IEC 11770-2

12 CSE331 Fall 200212 Key Distribution Center

13 CSE331 Fall 200213 Distribution Center Setup A wishes to communicate with B. T is a trusted third party that provides session keys. T has a key K AT in common with A and a key K BT in common with B. A authenticates T using a nonce rA and obtains a session key from T. A authenticates to B and transports the session key securely.

14 CSE331 Fall 200214 Needham-Schroeder 1.A -> T : A, B, rA 2.T -> A : E( K AT, (k, rA, B, E( K BT, (k, A)) )) A decrypts with K AT and checks rA and B. Holds k for future correspondence with B. 3.A -> B : E( K BT, (k, A)) B decrypts with K BT. 4.B -> A : E(k, rB) A decrypts with k. 5.A -> B : E(k, rB – 1) B checks rB-1.

15 CSE331 Fall 200215 Attack Scenario 1 1.A -> T : A, B, rA 2.T -> C (A) : E( K AT, (k, rA, B, E( K BT, (k, A)) )) C is unable to decrypt the message to A; passing it along unchanged does no harm. Any change will be detected by A.

16 CSE331 Fall 200216 Attack Scenario 2 1.A -> C (T) : A, B, rA 2.C (A) -> T : A, C, rA 3.T -> A : E( K AT, (k, rA, C, E( K CT, (k, A)) )) Rejected by A because C rather than B.

17 CSE331 Fall 200217 Attack Scenario 3 1.A -> C (T) : A, B, rA 2.C -> T : C, B, rA 3.T -> C : E( K CT, (k, rA, B, E( K BT, (k, C)) )) 4.C (T) -> A : E( K CT, (k, rA, B, E( K BT, (k, C)) )) A is unable to decrypt the message.

18 CSE331 Fall 200218 Attack Scenario 4 1.C -> T : C, B, rA 2.T -> C : E( K CT, (k, rA, B, E( K BT, (k, C)) )) 3.C (A) -> B : E( K BT, (k, C)) B will see that the purported origin (A) does not match the identity indicated by the distribution center.

19 CSE331 Fall 200219 Kerberos Setup A,T,B, shared keys K AT, K BT as in distribution center. Nonce rA generated by A. Trusted synchronous clocks for generating a time t and checking expiration of a lifetime L.

20 CSE331 Fall 200220 Kerberos Messages 1.A -> T : A, B, rA 2.T -> A : E( K BT, (k, A, L)), E( K AT, (k, rA, L, B)) 3.A -> B : E( K BT, (k, A, L)), E( k, (A, t)) 4.B -> A : E(k, t) Ticket Authenticator

21 CSE331 Fall 200221 Kerberos Actions 1.A -> T : A, B, rA 2.T -> A : E( K BT, (k, A, L)), E( K AT, (k, rA, L, B)) Decrypt using K AT, check rA, B, and hold L for future reference. 3.A -> B : E( K BT, (k, A, L)), E( k, (A, t)) Decrypt the ticket using KBT to get the session key and lifetime. Use the session key to decrypt the authenticator. Check A, t, L. 4.B -> A : E(k, t) Check t.

22 CSE331 Fall 200222 Asymmetric Key Exchange X.509 key establishment. Impersonation case study. STS. Bellovin-Merritt protocol.

23 CSE331 Fall 200223 X.509 Key Establishment Setup X.509 is part of the X.500 series of ISO/IEC standards. certA and certB are certificates for the public keys of A and B. A has encryption function EA and signature function SA. B has signature function SB. rA and rB are nonces. LA and LB are lifetimes (validity periods).

24 CSE331 Fall 200224 X.509 Key Est. Messages Let DA = EB(k), rA, LA, A. Let DB = rB, LB, rA, A Two messages: 1.A -> B : certA, DA, SA(DA) Check that the nonce rA has not been seen, and is not expired according to LA. Remember it for its lifetime LA. 2.B -> A : certB, DB, SB(DB) Check the rA and A. Check that rB has not been seen and is not expired according to LB.

25 CSE331 Fall 200225 X.509 Variant X.509 supports several variants on the previously-described protocol. Let DA = EB(kA), rA, LA, A. Let DB = EA(kB), rB, LB, rA, A Two messages: 1.A -> B : certA, DA, SA(DA) 2.B -> A : certB, DB, SB(DB) Both A and B compute a session key f(kA, kB) as a function of subkeys supplied by A and B.

26 CSE331 Fall 200226 Impersonation Case Study

27 CSE331 Fall 200227 Protocol X 1.A -> T : A, B 2.T -> A : ST(EB, B) 3.A -> B : EB(kA, A) 4.B -> T : B, A 5.T -> B : ST(EA, A) 6.B -> A : EA(kA, kB) –Check kA. Calculate session key as f(kA,kB). 7.A -> B : EB(kB) –Check kB. Calculate session key as f(kA,kB).

28 CSE331 Fall 200228 Interleaving Attack on Protocol X An interleaving attack on this protocol is possible. An adversary C convinces: –A that he is talking to C using session key k = f(kA, kB). –B that his is talking to A using session key k. C has access to the key k and can use it to decrypt the responses that B makes to A.

29 CSE331 Fall 200229 Compromise Scenario B, C are taxpayers. A is the IRS. A contacts C, (presumably) authenticates and sets up a session key k. C uses the interleaving attack with B. B now thinks he is talking to the IRS. C answers questions directed to him by the IRS. Meanwhile C, pretending to be IRS, asks B for information about his income for the last 5 years.

30 CSE331 Fall 200230 What Went Wrong? Entity authentication: determining who you are talking to. Key establishment: settling on a shared session key. Protocol X admits an interleaving attack that allows an adversary to exploit entity authentication and then step in to exploit key establishment.

Download ppt "CSE331: Introduction to Networks and Security Lectures 26 & 27 Fall 2002."

Similar presentations

CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Chapter 10 Real world security protocols

Chapter 10 Real world security protocols
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.

1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
1 Distributed Computer Security: Authentication and Key Distribution Vijay Jain CSc 8320, Spring 2007.

1 Distributed Computer Security: Authentication and Key Distribution Vijay Jain CSc 8320, Spring 2007.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.

Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.
Authentication & Kerberos

Authentication & Kerberos
Cryptography and Network Security Chapter 13 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 13 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
1 Chapter 13 – Digital Signatures & Authentication Protocols Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,

1 Chapter 13 – Digital Signatures & Authentication Protocols Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,
Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.

Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
1 Authentication Applications Digital Signatures Security Concerns X.509 Authentication Service Kerberos Based on slides by Dr. Lawrie Brown of the Australian.

1 Authentication Applications Digital Signatures Security Concerns X.509 Authentication Service Kerberos Based on slides by Dr. Lawrie Brown of the Australian.
 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.

 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

Similar presentations

Ads by Google