Presentation is loading. Please wait.

Presentation is loading. Please wait.

CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.

Similar presentations


Presentation on theme: "CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz."— Presentation transcript:

1 CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz

2 Diffie-Hellman key exchange  Secure against passive eavesdropping…  …but insecure against a man-in-the-middle attack

3 Adding key exchange  Not sufficient to simply “add on” key establishment before/after authentication –Splicing attack…  Need “authenticated key exchange”

4 Authentication Protocols (Chapter 11, KPS)

5 Overview  Protocol design is subtle –Small changes can make a protocol insecure! –Historically, designed in an “ad-hoc” way, by checking protocol for known weaknesses –Great example of where provable security helps!

6 Example  “Reverse” challenge-response –I.e., send a ciphertext and have user decrypt it –Mutual authentication (if decrypts “validly”)??  Weaknesses? –Uses encryption for authentication (Note that a MAC cannot, in general, be used) –Vulnerable to dictionary attack just by false attempted login (not eavesdropping) –Authentication of server assumes no replay…

7 Example  User sends time, MAC K (time) –What if she had used encryption, or a hash? –What about just sending MAC K (time)?  Considerations? –Requires (loosely) synchronized clocks –Must guard against replay… –What if user has same key on multiple servers? –Clock reset attacks; clock DoS attacks! –No mutual authentication

8 Adding mutual authentication  Double challenge-response (symmetric key) in 4 rounds  Variant in which user sends nonce first? –Insecure (reflection attack)… –Also vulnerable to off-line password guessing without eavesdropping –To improve security, make protocol asymmetric –No such attack on original protocol Security principle: let initiator prove its identity first

9 Using timestamps?  User sends time, MAC K (time), server responds with MAC K (time+1) –What if they used encryption?  Vulnerabilities? –Symmetric protocol…

10 Establishing a session key  Double challenge-response; compute session key as F K (R+2) –Secure against passive attacks if F is a pseudorandom permutation… –Active attacks? And how to fix it…

11 Public-key based…  Include E pk (session-key) in protocol?  Encrypt session-key and sign the result? –No forward secrecy… –Potentially vulnerable to replay attacks  User sends E(R 1 ); server sends E(R 2 ); session key is R 1 +R 2 –Reasonable…


Download ppt "CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz."

Similar presentations


Ads by Google