Download presentation
Presentation is loading. Please wait.
Published byEdmund Leonard Modified over 9 years ago
1
Class 4 Secure Channels and Practical Considerations CIS 755: Advanced Computer Security Spring 2015 Eugene Vasserman http://www.cis.ksu.edu/~eyv/CIS755_S15/
2
Administrative stuff Quiz I graded – Any problems? Periodically check main page for news and schedule page for changes and slides How were the “papers” for today? Teleconference information will change – Watch for email!
3
Last time: Basic primitives Confidentiality (encryption) – Symmetric (e.g. AES) – Asymmetric (e.g. RSA) Hash functions Integrity and authentication – Symmetric (authentication codes) – Asymmetric (signatures) Random numbers
4
Preview of Math in Asymmetric Crypto Diffie-Hellman – Discrete logarithm is “hard” – Computational, decisional (“flavors”) RSA – Prime factorization is “hard” Quantum computing and Shor’s algorithm Elliptic Curves Bilinear Maps
5
Person-in-the-middle Alice Bob Alice Confidential NOT Authenticated Bob ?
6
Muahaha! Person-in-the-middle Alice Bob Alice? NOT Confidential NOT Authenticated Bob
7
Certificates Alice Bob Alice! Confidential Authenticated Bob CRAP!
8
Confidential? Authenticated? PKI Example: Confidential email Bob Alice Bob Alice?
9
Confidential Authenticated PKI Example: Confidential email Bob Alice Bob Alice!
10
Questions?
11
In practice: Optimizations Asymmetric encryption: – Password Secret Key E SK (K), E K (M) Signatures: – Password Secret Key M, Sig SK (h(M)) Why do this? Why is this safe? Symmetric: – Password Key derivation/stretching/strengthening function K
12
In practice: Problems Composability: http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html Attack on PKCS #1 v2 standard-compliant RSA OAEP leaks plaintext bits: http://www.springerlink.com/content/tw5tuqb3hxbn9grq / This attack also leaks plaintext bits in a lot of systems that use CBC block cipher mode: http://lasecwww.epfl.ch/pub/lasec/doc/Vau02a.ps xkcd.com
13
Example: WEP – IV, RC4(IV, k) (M, c(M)) – Claim: 24-bit IV + 40-bit key = 64-bit security Example: WEP – IV, RC4(IV, k) (M, c(M)) – Claim: 24-bit IV + 40- bit key = 64-bit security On the right: text from Jonathan Katz Problems: Composability Is this secure against chosen-plaintext attacks? – It is randomized… 40-bit key (in some implementations)! – Claims that, with IV, this gives a 64-bit effective key(!) And how is the IV chosen? – Only 24 bits long -- IV repetitions are a problem! – Reset to 0 upon re-initialization – Some implementations increment the IV as a counter A repeating IV allows the attacker to compute the XOR of two plaintexts – We have discussed already how this can be damaging Small IV space means the attacker can build a dictionary of (IV, RC4(IV, k)) pairs – If portions of some plaintexts known, this enables determination of other plaintexts Known-plaintext attacks discovered on this usage of RC4 – Possible because the first byte of plaintext is a fixed, known header! Chosen-plaintext attacks – Send IP traffic/e-mail to the mobile host and watch it get forwarded – Transmit broadcast messages to access point – Authentication spoofing No cryptographic integrity protection – The checksum is linear (i.e., c(x y) = c(x) c(y)) and unkeyed, and therefore easy to attack – Allows IP redirection attack – Allows TCP “reaction” attacks Look at whether TCP checksum is valid Form of chosen-ciphertext attack Encryption used to provide authentication of mobile station (access point sends nonce; station returns an encryption of the nonce) – Allows easy spoofing after eavesdropping
14
Problems: Side channels Side-channel attacks VERY damaging – Power – Timing See news (2013) and cool stuff (2014) pagesnewscool stuff – Error messages! Different errors in SSH leak information (mismatch between implementation and specification of CBC block cipher mode): http://portal.acm.org/citation.cfm?id=586112
15
Questions?
16
Exercise How do we design a naïve asymmetric encryption scheme from everything we have learned so far? RSA does not provide integrity. Why? Malleable vs. non-malleable Why might we sometimes want malleable?
17
Cool stuff Elliptic curves – y 2 = x 3 + ax + b Secure multiparty computation – General existence result Communication complexity Threshold cryptography – Encryption, signatures, secret sharing
18
More cool stuff Identity-based encryption (IBE) – Time period-based Attribute-based encryption (ABE) Zero-knowledge (ZK) proofs – General existence result in NP – Interactive or non-interactive (NZIK) Strength from number of rounds or predefined Homomorphic encryption
19
Yet more cool stuff Key management – Key trees Hierarchical, time-based access One-time use tokens – Compare to capabilities Blind signatures Compact signature aggregation Commitments (vs. hashes)
20
Questions?
21
Today’s readings Bryant – Designing an Authentication System: a Dialogue in Four Scenes. MIT, 1988. (Kerberos V4) Afterword by Ts’o. MIT, 1997. (Kerberos V5) Fu, Sit, Smith, and Feamster – Dos and Don'ts of Client Authentication on the Web. 2001.
22
User authentication What do we usually think of? – Passwords! In essence: something only you know What does authentication provide? – Access control In essence: access to a limited resource
23
Access control Authentication → access No authentication → no access What are we protecting? Who is our adversary? – Threat model Who is trusted? Where does enforcement occur?
24
My voice is my passport; authorize me! User A says: – I want access to resource R – Kerberos server, authenticate me! R does not know if A has rights to access R Kerberos server: – Checks if A is who she says she is – Checks if A is authorized for access to R R trusts Kerberos server but not A
25
Authentication → capability → access Kerberos server issues a “token” T to A – T is tied to A – T expires – T cannot be generated by anyone other than Kerberos server (cannot be forged) T tells resource R that: – T was issued by the Kerberos server – A has the right to access R for a limited time
26
Questions? Why SSL, not Kerberos, for e-commerce? What’s the major difference between SSL certificates and Kerberos tokens? What’s the “SSL equivalent” of a Kerberos server?
27
Partially implied assumptions Kerberos server is trusted User is not the “client” (software)
28
V5 and Encrypt-then-MAC Changes in Kerberos V5: – Replay protection beyond timestamps – One fewer layer of encryption – Secure delegation Mechanism for verifying decryption is incorrect: should use encrypt-then-MAC – More secure then MAC-then-encrypt or encrypt-and-MAC (provably secure, in fact!)
29
SSL 3.0/TLS 1.0 vulnerabilities US CERT Vulnerability Note VU#864643: SSL 3.0 and TLS 1.0 allow chosen plaintext attack in CBC modes US CERT Vulnerability Note VU#864643 “An attacker with the ability to pose as a man-in-the- middle and to generate specially-crafted plaintext input could decrypt the contents of an SSL- or TLS- encrypted session. This could allow the attacker to recover potentially sensitive information (e.g., HTTP authentication cookies).” NOT new – known CBC-mode attacks
30
Exercise How do we handle password-based authentication over an insecure channel?
31
Exercise Design and sketch an implementation of an expiring capability (similar to a Kerberos token) in terms of what we have learned so far
32
Questions? Reading discussion
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.