Presentation is loading. Please wait.

Presentation is loading. Please wait.

Perspectives: Improving SSH- Style Host Authentication with Multi-Path Probing Analysis and Comments Gregory T. Hoffer CS7123 – Research Seminar (Dr. Qi.

Published byJane Watkins Modified over 9 years ago

Similar presentations

Presentation on theme: "Perspectives: Improving SSH- Style Host Authentication with Multi-Path Probing Analysis and Comments Gregory T. Hoffer CS7123 – Research Seminar (Dr. Qi."— Presentation transcript:

1 Perspectives: Improving SSH- Style Host Authentication with Multi-Path Probing Analysis and Comments Gregory T. Hoffer CS7123 – Research Seminar (Dr. Qi Tian)

2 Overview  Project Description  Problem  Objective  Design  Security Analysis  Future Work

3 Project Description  Problem  SSL requires shared secret to be exchanged  Diffie-Hellman key exchange subject to MITM attack.

4 Project Description  SSL Certificate Acceptance (Tofu)

5 Project Description  Certificate Authority (CA)  List embedded in client  Certificate Revocation checks

6 Project Description  Problem Summary  Rely upon the user’s discretion to determine if unauthenticated key is valid  Key authentication is based upon “known good” list of trusted certs (“centralized trust brokers”), which have been shown to be insecure ( http://nakedsecurity.sophos.com/2011/03/24/fraudulent-certificates-issued- by-comodo-is-it-time-to-rethink-who-we-trust/ ) http://nakedsecurity.sophos.com/2011/03/24/fraudulent-certificates-issued- by-comodo-is-it-time-to-rethink-who-we-trust/  Certificate Revocation not always in use, and itself susceptible to attack or becoming stale.

7 Project Description  Objective  Create modular notary network  Tolerate internal failures  Tolerate compromises

8 Project Description  Design  Network of notaries  Each notary monitors and records keys requested/sent, cryptographically signed.  Multiple “Vantage Points” to provide fault tolerance, rigor against compromise of single (or few) notaries.  Data redundancy by “shadowed” copies of notary data.

9 Project Description Source: “With SSL, who can you really trust?”, 2011, Network World. (http://www.networkworld.c om/news/2011/081811- ssl-249874.html?page=2)http://www.networkworld.c om/news/2011/081811- ssl-249874.html?page=2

10 Security Analysis  MitM attacks provide client with false public key.  Assume attacks are either  Localized to a particular network scope, or  Of a limited duration  Data Redundancy helps clients detect malicious notaries  Bootstrapping the observations?  How to secure client operation (e.g. Plugins)?  How to manage notary trust?

11 Future Work Description Notary-Aware Services Additional Protocols DNSSEC Performance (Client, Server)

12 Conclusion  Perspectives represents an interesting class of security in an interesting deployment – network of notaries.  While addressing some key security problems of authenticating servers, it raises other questions of security of the system. Quis custodiet ipsos custodes?

13 Questions and Discussion  Any questions or comments?

14 References  Dan Wendlandt, David G. Andersen, and Adrian Perrig. 2008. Perspectives: improving SSH-style host authentication with multi-path probing. In USENIX 2008 Annual Technical Conference on Annual Technical Conference (ATC'08). USENIX Association, Berkeley, CA, USA, 321-334  J. Sunshine, S. Egelman, H. Almuhimedi, N. Atri, L. Cranor. 2009. Crying wolf: an empirical study of SSL warning effectiveness. In Proceedings of the 18th conference on USENIX security symposium (SSYM'09). USENIX Association, Berkeley, CA, USA, 399-416.

Download ppt "Perspectives: Improving SSH- Style Host Authentication with Multi-Path Probing Analysis and Comments Gregory T. Hoffer CS7123 – Research Seminar (Dr. Qi."

Similar presentations

Secure Routing Panel FIND PI Meeting (June 27, 2007) Morley Mao, Jen Rexford, Xiaowei Yang.

Secure Routing Panel FIND PI Meeting (June 27, 2007) Morley Mao, Jen Rexford, Xiaowei Yang.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 3.1 Overview of Authentication.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 3.1 Overview of Authentication.
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Kerberos Assisted Authentication in Mobile Ad-hoc Networks Authors: Asad Amir Pirzada and Chris McDonald Sources: Proceedings of the 27th Australasian.

Kerberos Assisted Authentication in Mobile Ad-hoc Networks Authors: Asad Amir Pirzada and Chris McDonald Sources: Proceedings of the 27th Australasian.
Csci5233 Computer Security1 Bishop: Chapter 10 (Cont.) Key Management: Certificates.

Csci5233 Computer Security1 Bishop: Chapter 10 (Cont.) Key Management: Certificates.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)

Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Perspectives: Improving SSH-style Host Authentication or How to Strengthen Tofu Dan Wendlandt - - Carnegie Joint.

Perspectives: Improving SSH-style Host Authentication or How to Strengthen Tofu Dan Wendlandt - - Carnegie Joint.
Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.

Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.
1 Intrusion Tolerance for NEST Bruno Dutertre, Steven Cheung SRI International NEST 2 Kickoff Meeting November 4, 2002.

1 Intrusion Tolerance for NEST Bruno Dutertre, Steven Cheung SRI International NEST 2 Kickoff Meeting November 4, 2002.
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)

CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

Similar presentations

Ads by Google