Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 6.2: Protocols - Authentication and Key Exchange II CS 436/636/736 Spring 2012 Nitesh Saxena.

Published byAshlie Carter Modified over 9 years ago

Similar presentations

Presentation on theme: "Lecture 6.2: Protocols - Authentication and Key Exchange II CS 436/636/736 Spring 2012 Nitesh Saxena."— Presentation transcript:

1 Lecture 6.2: Protocols - Authentication and Key Exchange II CS 436/636/736 Spring 2012 Nitesh Saxena

2 Course Admin HW2 solution emailed Grading ongoing Exam study topics emailed 11/12/2015 Protocols: Authentication and Key Exchange 2

3 Course Admin Mid-Term Exam – On March 08 – In class, from 11am-12:15pm Covers lectures up to Feb 23 In-class review on Mar 06 (Tuesday) Strictly closed-book (no cheat-sheets are allowed) A sample exam will be provided as we near the exam date 3

4 Outline of Today’s lecture Today we try to put everything together – Encryption (public-key/private-key) – MACs – Signing – Key-Distribution Secure protocols (for secure communication) – Authentication We studied it somewhat while talking about key distribution – (Authenticated-) Key Exchange Designing secure protocols is hard – we’ll only be able to learn the basics today We’ll use the board extensively today – be prepared to take notes 11/12/2015 Protocols: Authentication and Key Exchange 4

5 MAC-based Authentication 1.A  B: A, rA 2.B  A:rB, HMAC K (rB, rA, A) 3.A  B:HMAC K (rA, rB,B) Faster than enc-based protocols (computationally) 11/12/2015 Protocols: Authentication and Key Exchange 5

6 Public-key based authentication (Needham-Shroeder (NS) pk-based) Assuming public keys are distributed through CA(s) 1.A  B: Enc pkb (rA, A) 2.B  A:Enc pka (rA, rB) 3.A  B:Enc pkb (rB) 11/12/2015 Protocols: Authentication and Key Exchange 6

7 Attack and fix on PK-based NS protocol Attack: Fix: 1.A  B: Enc pkb (rA, A) 2.B  A:Enc pka (rA, rB,B) 3.A  B:Enc pkb (rB) 11/12/2015 Protocols: Authentication and Key Exchange 7

8 Signature-based authentication (assuming public keys are distributed through CA) A auth B A  B: Hi Bob, this is Alice! B  A: r (a challenge) A  B: Sig SKa (r,B) (response) A auth B, B auth A (run two copies; piggyback common flows) A  B: A, rA (could sign this too) B  A:rB, Sig SKb (rB, rA, A) A  B:Sig SKa (rA,rB,B) 11/12/2015 Protocols: Authentication and Key Exchange 8

9 Authenticated Key Exchange (AKE) Public-key operations are costly Why not 1.use public-key mutual authentication protocols to exchange a symmetric key 2.use this symmetric key with a symmetric encryption to secure subsequent communication 11/12/2015 Protocols: Authentication and Key Exchange 9

10 Security Notion for AKE Launch protocol between any pair Reveal all session key except one Try to distinguish the key of the unrevealed session from random This captures: the compromise of other sessions should not lead to the compromise of any other session 11/12/2015 Protocols: Authentication and Key Exchange 10

11 1.A  B: A, rA, Enc PKb (K) (must sign this too??) 2.B  A:rB, Sig SKb (rB, rA, A) 3.A  B:Sig SKa (rA, rB, B) 4.A and B output K as the authenticated key Such a protocol can be instantiated using RSA encryption/signing – The way SSL/SSH establishes key But, generally only the server authenticates to the client, not vice versa 11/12/2015 Protocols: Authentication and Key Exchange 11

12 X.509: One-Way Authentication 1 message ( A->B) used to establish – the identity of A and that message is from A – message was intended for B – integrity & originality of message 11/12/2015 Protocols: Authentication and Key Exchange 12 A B 1-A {ta,ra,B,sgnData,KUb[Kab]} Ta-timestamp rA=nonce B =identity sgnData=signed with A’s private key

13 X.509: Two-Way Authentication 2 messages (A->B, B->A) which also establishes in addition: – the identity of B and that reply is from B – that reply is intended for A – integrity & originality of reply 11/12/2015 Protocols: Authentication and Key Exchange 13 A B 1-A {ta,ra,B,sgnData,KUb[Kab]} 2-B {tb,rb,A,sgnData,KUa[Kba]}

14 X.509: Three-Way Authentication 3 messages (A->B, B->A, A->B) which enables above authentication without the need for synchronized clocks 11/12/2015 Protocols: Authentication and Key Exchange 14 A B 1- A {ta,ra,B,sgnData,KUb[Kab]} 2 -B {tb,rb,A,sgnData,KUa[Kab]} 3- A{rb}

15 Discrete Logarithm Assumption p, q primes such that q|p-1 g’ be the generator of Z p * g is an element of order q and generates a group G q of order q; g = g’ (p-1)/q x in Z q, y = g x mod p Given (p, q, g, y), it is computationally hard to compute x – No polynomial time algorithm known – p should be 1024-bits and q be 160-bits x becomes the private key and y becomes the public key 11/12/2015 Protocols: Authentication and Key Exchange 15

16 Example of DL-based system Let’s construct an example KeyGen: – p = 11, q = 2 or 5; let’s say q = 5 – 2 is a generator of Z 11 * – g = 2 2 = 4 – x = 2; y = 4 2 mod 11 = 5 11/12/2015 Protocols: Authentication and Key Exchange 16

17 Diffie-Hellman (DH) Key Exchange 1.A  B: K a = g a mod p 2.B  A:K b = g b mod p 3.A outputs K ab = K b a 4.B outputs K ba = K a b Note K ab = K ba = g ab mod p 11/12/2015 Protocols: Authentication and Key Exchange 17

18 Security of DH key exchange No authentication of either party Secure only against a passive adversary – Under the computational Diffie-Hellman assumption Given (g, g a,g b ), hard to compute g ab Not secure against an active attacker – Man-in-the-middle attack… 11/12/2015 Protocols: Authentication and Key Exchange 18

19 Authenticated DH Key Exchange 1.A  B: K a = g a mod p 2.B  A:Cert b, K b = g b mod p Enc Kba [Sig SKb (K b, K a )] 3.A  B:Cert a, Enc Kab [Sig SKa (K a,K b )] 4.A outputs K ab = K b a 5.B outputs K ba = K a b 11/12/2015 Protocols: Authentication and Key Exchange 19

20 Summary Designing secure protocols is not easy – Becomes harder in a concurrent setting, where there are multiple parties, executing multiple instances of the protocols simultaneously – Becomes even harder as the number of parties increase; n-party or group setting Use the protocols that are well-studied and standardized While designing a protocol, consider – Reflection attacks – Replay attacks – Eliminating any symmetry in the messages 11/12/2015 Protocols: Authentication and Key Exchange 20

21 Further Reading HAC – chapter 10 Stallings – Chapter 15 11/12/2015 Protocols: Authentication and Key Exchange 21

Download ppt "Lecture 6.2: Protocols - Authentication and Key Exchange II CS 436/636/736 Spring 2012 Nitesh Saxena."

Similar presentations

1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.

1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
1 Chapter 13 – Digital Signatures & Authentication Protocols Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,

1 Chapter 13 – Digital Signatures & Authentication Protocols Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,
Cryptography and Network Security (CS435) Part Eleven (Digital Signatures and Authentication Protocols)

Cryptography and Network Security (CS435) Part Eleven (Digital Signatures and Authentication Protocols)
Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.
Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.

Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.

Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.

Similar presentations

Ads by Google