Presentation is loading. Please wait.

Presentation is loading. Please wait.

15-349 Introduction to Computer and Network Security Iliano Cervesato 9 September 2008 – Cryptographic Protocols.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "15-349 Introduction to Computer and Network Security Iliano Cervesato 9 September 2008 – Cryptographic Protocols."— Presentation transcript:

1 15-349 Introduction to Computer and Network Security Iliano Cervesato 9 September 2008 – Cryptographic Protocols

2 2 Where we are  Course intro  Cryptography  Intro to crypto  Modern crypto  Symmetric encryption  Asymmetric encryption  Beyond encryption  Cryptographic protocols  Attacking protocols  Program/OS security & trust  Networks security  Beyond technology

3 3 Outline  What is a protocol?  Authentication protocols  Other cryptographic protocols  Challenge-response exchanges  Key distribution  Shared-key protocols  Needham-Schroeder shared-key  Denning-Sacco  Public-key protocols  Needham-Schroeder public-key  Diffie-Hellman protocol  station-to-station  Repeated authentication protocols  Neuman-Stubblebine “Cryptography is not broken, it is circumvented” [Shamir]

4 4 Protocols Expected behaviors when engaging in communication  When 2 people want to talk  Buying something at the souq  Driving conventions  Calling up your friend, …  When interacting with an organization  Bureaucracy  Official visits by head of states, …  …  When computers want to talk

5 5 Computer Protocols  What sets them apart?  No human involved!  Automated  Inflexible  No common-sense  What protocols are there in a computer?  Hundreds!  Communication protocols  Email, http, Ethernet, …  Security protocols

6 6 Security Protocols  Communication protocols ensure that communication actually happens  Security protocols ensure that communication is not abused  Protect contents  Protect communicating parties  Protect intent of communication  Protect possibility of communication

7 7 Common Security Goals  Confidentiality  Message cannot be observed in transit  Achieved using some form of encryption

8 8 Authentication  Ensure that we are talking with who we think  Much more subtle than secrecy  How to establish a secret channel in the first place  Negotiate parameters of channel  Ensure channel remains trusted  Authentication protocols

9 9 Other Security Goals  Non-Repudiation  Party cannot claim he didn’t do it  For auditing, electronic contract signing, …  Non-Malleability  Message cannot be changed en route  For electronic voting, …  Anonymity  Hide who is communicating  Availability  User can always get through  …

10 10 Security Protocols Encryption provides virtual trusted channels  Security protocols  How to establish, maintain and use these channels  Authentication protocols  How to establish channel in the first place –Negotiate parameters of channel –Ensure that channel is still trusted  Other types of protocols  Using trusted channels for specific purposes –Electronic commerce (e-cash, e-auctions, …) –Electronic voting –Electronic contract signing, … ED This lecture

11 11 Authentication Protocols  Challenge-response  Verify somebody is at the other end of channel  Key generation  Establish channel  Key distribution  Bind channel ends with requesters  Key translation  Use indirect channels These aspects can be combined

12 12 Some Notation We abstract from the cryptographic algorithms used  Encryption: {m} k  In particular shared-key encryption  Public-key encryption sometimes written {{m}} k  Authentication: [m] k  In particular for MACs  Digital signatures sometimes written [[m]] k  Usually includes both message and digest  Decryption/verification not modeled explicitly

13 13 Our Heros  Generic principals  A (Alice)  B (Bob)  C (Charlie), …  Servers  S (Sam)  … specialized names  Trusted-Third Party – TTP  Certification Authority –CA  Key Distribution Center – KDC  …  Attacker  I (intruder)  Also known as  E (Eve – eavesdropper, enemy)  M (Mallory – malicious)  Trudy, ….

14 14 Challenge-Response Protocols  Given trusted channel  A checks if B is there  Sends challenge to B  Waits for response  Get B to use the channel  By decrypting the challenge  By encrypting the response  … or both  Used to  Test a newly established channel  Verify a previously used channel  Usually part of bigger protocols  Also called authentication test A’s view AB “Hi, it’s me!” “I’m here too!”

15 15 Guarantying Freshness  Reusing challenges is dangerous  Waste subsequent transmissions  Replay of favorable messages  If channel used to transmit keys  and a previous key k was compromised,  then I can force A to reuse k  Response should be fresh  Nonces  Timestamps  Sequence numbers  Fresh key (with care!)

16 16 Nonces Random sequence of bits  Typically 32-128 bit long  Generated fresh by originator as challenge  Unpredictable  Checked in response  Not checked by recipient  Impractical to memorize them  Never reused  But may contribute to keys  E.g. by hashing AB nAnA {n A } k AB AB nAnA AB {n A -1} k AB Challenge-response exchanges using nonces

17 17 Timestamps Current time in local computer  E.g. in milliseconds  Checkable by recipient  Element of predictability  Recipient must keep most recent timestamps to avoid replay  Requires common time reference  Allow for clock skew  Use secure synchronized clocks  Supports for service time-out AB tAtA {t A } k AB AB tAtA AB {t A -1} k AB Challenge-response exchanges using timestamps

18 18 Sequence Numbers  Originator maintains counter  Incremented by 1 after each challenge  Must be bound with data that identifies channel  Recipient memorizes most recent value  Rejects values that are too old  Similar to timestamp but  Local to originator or even channel  Cannot be used for timeout AB cAcA {c A } k AB AB cAcA AB {c A -1} k AB Challenge-response exchanges using counters

19 19 Keys  Initiator generates key k  Sends it encrypted  Recipient responds using k  Other mechanisms needed to guaranty freshness to recipient  Often done through third-party  Achieves key distribution at the same time AB {k} k AB {“Hi!”} k AB Challenge-response exchanges using keys {k} k AS {k} k BS S

20 20 More on Keys  Long-term keys  Exist before the protocol begins  Do not change across protocol executions  Session keys (or short-term keys)  Generated as part of the protocol  Validity guaranteed till protocol is completed  Could be released when protocol terminates  Could be cryptographically weak  Session (or run)  Protocol execution from start to finish

21 21 Authentication Assurance to be talking with the expected principal  Challenge-response is a fundamental mechanism  Ensure freshness  If channel is trusted, authenticates recipient to initiator  Mutual authentication  Both party believe they are talking to each other  Done through double challenge-response  Typically 3 messages AB {A,n A } k B {n A,n B } k A {n B } k B Needham-Schroeder public-key protocol (fragment)

22 22 Key Generation Protocols … A wants to establish channel with B  Shared-key infrastructure  Principals shares a key with a KDC  Public-key infrastructure  Principals have published encryption keys  Diffie-Hellman  Principals know group and generator

23 23 … with Shared-Key Infrastructure  Each principal has a shared key with KDC S  Ask S to create channel  Create new key k  Distribute k to A and B using k AS and k BS  Examples  Needham-Schroeder shared-key protocol  Otway-Rees, Yahalom, Woo-Lam, … S A B CD … k AS k BS k CS k DS …

24 24 Needham-Shroeder Shared Key  S creates k AB  1 challenge-response authenticates S to A  2 challenge-response authenticate A and B ASB A,B,n A {n A,B,k AB,{k AB,A} k BS } k AS {k AB,A} k BS {n B } k AB {n B -1} k AB

25 25 … with Public-Key Infrastructure  Each principal has a certified public key available to others  A and B use k B and k A to communicate securely  Examples  Bilateral key exchange protocol  … CA A B CD … Public data k A, k B, k C, k D

26 26 Bilateral Key Exchange Protocol  h is a hash function  Certificates could be included  Includes 2 challenge-response exchanges AB A,{n A,B} k B {h(n A ),n B,B,k} k A {h(n B )} k Public data k A, k B

27 27 … with Diffie-Hellman  Diffie Hellman alone cannot guarantee authentication  Minimum infrastructure required  Public key infrastructure for signatures  Examples  Station-to-station protocol  Found as option in many big protocols  IPSEC, ISAKMP, …

28 28 Diffie-Hellman Key Exchange Public data p, g A B Choose random a 1  a  p-1 send g a mod p Receive g b mod p (g b ) a = g ab mod p k = h(g ab ) Receive g a mod p Choose random b 1  b  p-1 Send g b mod p (g a ) b = g ab mod p k = h(g ab ) g a mod p g b mod p  A and B produce a shared secret out of nothing  However, no authentication  A has no way to be sure 2 nd message is from B  B has no way to be sure 1 st message is from A

29 29 Station-to-Station Protocol  This is an authenticated Diffie-Hellman  k’ A and k’ B are public signature keys  Certificates could also be included  g a and g b used for challenge-response  Achieves mutual authentication AB gaga g a,{[g a,g b ] k’ B } k {[g a,g b ] k’ A } k Public data p, g k’ A, k’ B k = g ab

30 30 Key Distribution Protocols  A and B possess public keys  Registered with certification authority  Certificates not available  Request signed certificates from CA  Examples  Needham-Schroeder public-key protocol  S acts as key database and CA  A and B use nonces for mutual authentication  …

31 31 Needham-Shroeder Public Key ASB A,B [B,k B ] k’ S {A,n A } k B B,A [A,k A ] k’ S {n A,n B } k A {n B } k B Public data k A, k B

32 32 Key Translation Protocols  A wants to send message to B … but no server is around to create keys  A exploits existing channels with a trusted third party S  A send m to S encrypted with k AS  S forwards m to B encrypted with k BS  Timestamps or other mechanisms used for authentication  S must be trusted to manipulate them correctly  Examples  Wide-Mouthed Frog protocol

33 33 Wide-Mouthed Frog Protocol  A generates the key k AB  S provides trusted timestamping  With t A, A authenticates to S  With t S, S authenticates to B  A authenticates to B indirectly  No authentication in the reverse direction ASB A,{t A,B,k AB } k AS {t S,A,k AB } k BS

34 34 Subprotocols Useful to add structure to protocols  Deterministic choice of continuation  Protocol behaves differently on different inputs  Protocols responds to optional requests  Non-deterministic continuation  Protocol flips a coin  Protocol can request optional behavior  Repeated parts  Repetitive behavior after initial phase  E.g. Neuman-Stubblebine, Kerberos, …

35 35 Neuman-Subblebine – Initial Part  {A,k AB,t B } k BS is A’s ticket to access B’s service  n A and n B mutually authenticate A and B ASB A,n A B,{A,n A,t B } k BS,n B {B,n A,k AB,t B } k AS,{A,k AB,t B } k BS,n B {A,k AB,t B } k BS,{n B } k AB

36 36 Neuman-Stubbl. – Repeated Part  A uses ticket to access B’s service  … until it expires  n’ A and n’ B reauthenticate A and B AB {A,k AB,t B } k BS,n’ A n’ B,{n’ A } k AB {n’ B } k AB

Download ppt "15-349 Introduction to Computer and Network Security Iliano Cervesato 9 September 2008 – Cryptographic Protocols."

Similar presentations

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.

1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
Authentication & Kerberos

Authentication & Kerberos
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
Symmetric Key Infrastructure Karel Masarik, Daniel Cvrcek Faculty of Information Technology Brno University of Technology

Symmetric Key Infrastructure Karel Masarik, Daniel Cvrcek Faculty of Information Technology Brno University of Technology
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.

 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.

Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.

8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.

Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.

Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.

Similar presentations

Ads by Google