Presentation is loading. Please wait.

Presentation is loading. Please wait.

CIS/TCOM 551 Computer and Network Security Slide Set 5 Carl A. Gunter Spring 2004.

Published byPenelope Henry Modified over 9 years ago

Similar presentations

Presentation on theme: "CIS/TCOM 551 Computer and Network Security Slide Set 5 Carl A. Gunter Spring 2004."— Presentation transcript:

1 CIS/TCOM 551 Computer and Network Security Slide Set 5 Carl A. Gunter Spring 2004

2 Protocols l Overview l Entity Authentication l Key Establishment

3 General Definition of “Protocol” l A protocol is a multi-party algorithm, defined by a sequence of steps precisely specifying the actions required of two or more parties in order to achieve a specified objective.

4 Arbitrated Protocols

5 Adjudicated Protocols

6 Self-Enforcing Protocols

7 Protocol Sample Threat l Common strategy.  Encrypt for confidentiality.  Sign for integrity. l Is it better to sign then encrypt? l Or is it better to encrypt then sign? l There is a pitfall.

8 Messages l P -> R : ER(M, DP(M))  R decodes with DR  Verifies with EP:  EP(DP(M)) = M ? l P -> R : ER(M), DP(ER(M))  R decodes with DR  Verifies with EP:  EP(DP(ER(M))) = ER(M) ?

9 Pitfall l Interception Scenario  P -> O (R) : ER(M), DP(ER(M))  O -> R : ER(M), DO(ER(M)) l R might think that M came from O. l Is this really a problem? l To be safe: sign then encrypt.

10 Foundations of Authentication l Authentication is based on one or more of the following:  Something you know.  Something you have.  Something inherent about you.

11 Entity Authentication l Aims and Threats l Weak Security: Passwords l Strong Security: Challenge-Response

12 Typical Setup ClaimantVerifier Userid: Password: Identification Authentication Terminology: identification will be used to refer to the combination of claimed identity and its authentication.

13 Aim l For honest parties, the claimant A is able to authenticate itself to the verifier B. That is, B will complete the protocol having accepted A’s identity.

14 Threats l Transferability: B cannot reuse an identification exchange with A to successfully impersonate A to a third party C. l Impersonation: The probability is negligible that a party C distinct from A can carry out the protocol in the role of A and cause B to accept it as having A’s identity.

15 Assumptions l A large number of previous authentications between A and B may have been observed. l The adversary C has participated in previous protocol executions with A and/or B. l Multiple instances of the protocol, possibly instantiated by C, may be run simultaneously.

16 Attacks Not Addressed l Identification affirms that communication with the expected party occurred at a given point in time. l Two active attacks are not addressed:  Usurpation: The session beginning with the identification is “usurped” by the attacker as a man-in-the-middle.  Grand Master Postal Attack Problem: A man-in-the-middle relays messages between two parties without changing them.

17 Unix Passwords l Humans need memorable keys, care must be taken to use these keys properly. l Password Security: A Case History, Robert Morris and Ken Thompson, CACM v22(1979), 594-597.

18 Make a File of Passwords l At first Unix was implemented with a password file holding the actual passwords of users. l This was vulnerable to many lapses  Copies were made by privileged users  Copies were made by bugs: classic example posted password file on daily message file  Physical access to backup was a vulnerability  Information from the password file needed to be replicated into many other files

19 First Approach l Encrypt the passwords and keep the encrypted version. l Take the password from the user, encrypt it, and compare with password file entry. l Problems  poor user selection of passwords  online dictionary attack l On a PDP-11/70 it was possible to compute the encryptions of all passwords using 6 lower-case letters in about 107 hours.

20 Heuristics for Guessing l The dictionary with the words spelled backwards l A list of first names (best obtained from some mailing list). Last names, street names, and city names also work well. l The above with initial upper-case letters. l All valid license plate numbers in your state. (About 5 hours work in 1979 for New Jersey.) l Room numbers, social security numbers, telephone numbers, and the like.

21 A Survey of 3,289 Passwords l With no constraints on choice of password, Morris and Thompson got the following results:  15 were a single ASCII letter.  72 were strings of two ASCII letters.  464 were strings of three ASCII letters.  47 were strings of four alphanumerics.  706 were five letters, all upper-case or all lower-case.  605 were six letters, all lower case.

22 Risk in Password Restrictions l An installation required users to accept a machine-selected password. l These were 8 characters long (lower case and digits) and generated from a pseudorandom number generator. l There were only 2**15 starting values (seeds). l Time to search strings of length 8 required 112 years (on machines of the time). l Time to check 2**15 seeds, not long!

23 Improvements to First Approach l Slower encryption: use password to create a key, then encrypt a constant using 25 iterations of the DES algorithm. l Enforce password rules. l “Mess up” DES: change algorithm so that stock hardware cannot be used.

24 Slowing Dictionary Attacks l “Salt” the passwords by adding random bits.  Makes dictionary attacks more expensive.  Decreases the likelihood that two identical passwords will appear as identical entries in the password file. l 12 bit salt results in 4,096 versions of each password.

25 Classic Unix Crypt – part 1 l Supplied by the user: a password P, truncated to 8 characters by the system. l Held by the system: a 77 bit value consisting of a 12 bit salt S and cryptographic hash derived as follows. l Pad password with zeros if necessary to get 56 bit key K.

26 Classic Unix Crypt – part 2 l Create a modified DES with expansion permutations (32 to 48 bits) determined by S. l Use K as a DES key to encrypt a 64 bit block of zeros, running the encryption 25 times. l This yields a 64 bit ciphertext. Add the 12 bit salt and represent this as 11 7-bit characters.

27 One Time Passwords l Shared lists. l Sequentially updated. l One-time password sequences based on a one-way function.

28 Hash-based 1-time Passwords l A claimant identifies itself to verifier B using a one-way hash function H. l One-time setup.  A chooses a secret w.  Fixes a constant t for the number of times the verification can be done.  A securely transfers H**t(w) to B. l Protocol messages. For the i’th identification where 1 <=i <= t:  A -> B: A, i, H**(t-i)(w)

29 Hash-based 1-time Passwords l Protocol actions. For session i, claimant A does the following to identify itself:  A computes w’ = H**(t-i)(w) and transmits the value to B.  B checks that i is the correct session (ie. that the previous session was i-1) and checks to see if H(v) = w’ where v was the last value provided by A (as part of session i-1).  B saves w’ and i for use in the next session.

30 Challenge-Response l Background.  Random numbers (nonces).  Sequence numbers.  Timestamps. l Symmetric keys.  With timestamps or random numbers. l MAC’s. l Asymmetric keys.  With encryption or signature.

31 Replay l Replay is the treat in which a transmission is observed by an eavesdropper who subsequently reuses it as part of a protocol, possibly to impersonate the original sender. l Example: monitor the first part of a telnet session to obtain a sequence of transmissions sufficient to get a log-in. l There are 3 general strategies for defeating replay attacks: nonces, timestamps, and sequence numbers.

32 Random Numbers l A random number is a number chosen unpredictably in a range. l In a challenge-response protocol they are used as follows.  The verifier chooses a (new) random number and provides it to the claimant.  The claimant performs an operation on it showing knowledge of a secret.  This information is bound inseparably to the random number and returned to the verifier for examination.  A timeout period is used to ensure “freshness”.

33 Sequence Numbers l Sequence numbers provide a sequential or monotonic counter on messages. l If a message is replayed and the original message was received, the replay will have an old or too-small sequence number and be discarded. l Cannot detect forced delay. l Difficult to maintain when there are system failures.

34 Time Stamps l The claimant sends a message with a timestamp. l The verifier checks that it falls within an acceptance window of time. l The last timestamp received is held, and identification requests with older timestamps are ignored. l Good only if clock synchronization is close enough for acceptance window.

35 Unilateral Symmetric Key l Unilateral authentication with timestamp generated by A.  A -> B : E(K, (t, B)) l Unilateral authentication with random number generated by B.  B -> A : r  A -> B : E(K, (r, B))

36 Mutual Symmetric Key l Using random numbers:  B -> A: rB  A -> B: E(K, (rA, rB, B))  B -> A: E(K, (rB, rA))

37 Mutual MAC Function l Let H be a hash function and K be a shared secret between A and B.  B -> A: rB  A -> B: rA, H(K, (rA, rB, B))  B -> A: H(K, (rB, rA, A))

38 Passkey Systems F S PIN A Display Claimant AVerifier B e y Challenge Generator Login Request Passcode Generator F Secret Database Compare (challenge) (response) PIN S

39 Unilateral Public Key Decryption l Encryption under A’s public key is EA:  B -> A : H(r), B, EA(r, B)  A -> B : r l The witness H(r) shows knowledge of r and prevents chosen plaintext attacks on EA.

40 Mutual Public Key Decryption l Let EA and EB be the encryption functions for the public keys of A and B respectively.  A -> B: EB(rA, A)  B -> A: EA(rA, rB)  A -> B: rB

41 Unilateral Digital Signatures l Let SA and SB be the signature functions of A and B respectively. l Unilateral authentication with timestamps:  A -> B: t, B, SA(t, B) l Unilateral authentication with random numbers:  B -> A: rB  A -> B: rA, B, SA(rA, rB, B)  The rA prevents chosen plaintext attacks.

42 Mutual Digital Signatures l Using random numbers.  B -> A: rB  A -> B: rA, B, SA(rA, rB, B)  B -> A: A, SB(rB, rA, A)

43 Primary Attacks l Impersonation. l Replay. l Interleaving. l Reflection. l Forced delay. l Chosen plaintext.

44 Primary Controls l Replay: use of challenge-response techniques and embedding target identity in response. l Interleaving: link messages in a run with chained nonces. l Reflection: embed identifier of target party in challenge response, use asymmetric message formats, use uni- directional keys.

45 Primary Controls, continued l Chosen text: embed self-chosen random numbers (“confounders”) in responses, use “zero knowledge” techniques. l Forced delays: use random numbers with short timeouts, use timestamps with other techniques.

46 Multiple Use of Keys l There are risks in using keys for multiple purposes. l Using an RSA key for both entity authentication and signatures may allow a chosen-text attack. l B attacker/verifier, rB=H(M) for some message M.  B -> A: rB  A -> B: B, SA(rB)  B(A) -> C: M, SA(H(M)) B, pretending to be A

47 Effective Control l Notice how the protocol described earlier foils this. Here’s the protocol:  B -> A: rB  A -> B: rA, B, SA(rA, rB, B) l Here’s what happens:  B -> A: rB  A -> B: rA, B, SA(rA, rB, B)  B(A) -> C: M, SA(rA, H(M), B)  C finds that SA(rA, H(M), B)  SA(H(M)) and rejects the signature.

48 Usurpation Attacks l Identification protocols provide assurances corroborating the identity of an entity only at a given instant in time. l Techniques to assure ongoing authenticity:  Periodic re-identification.  Tying identification to an ongoing integrity service. For example: key establishment and encryption.

49 Key Establishment l Symmetric keys.  Point-to-Point.  Needham-Schroeder.  Kerberos. l Asymmetric keys.  X.509 key establishment.  Attack example.  Station To Station (STS) protocol.  Bellovin-Merritt protocol.

50 Symmetric Keys l Key establishment using only symmetric keys requires use of pre-distribution keys to get things going. l These can be based on:  Point to point distribution, or  Key Distribution Center (KDC).

51 Point-to-Point l Timestamp.  A -> B : E(K, (k, t, B)) l Nonce.  B -> A : r  A -> B : E(K, (k, r, B)) Session Key ISO/IEC 11770-2

52 Key Distribution Center

53 Distribution Center Setup l A wishes to communicate with B. l T is a trusted third party that provides session keys. l T has a key KAT in common with A and a key KBT in common with B. l A authenticates T using a nonce rA and obtains a session key from T. l A authenticates to B and transports the session key securely.

54 Needham-Schroeder 1. A -> T : A, B, rA 2. T -> A : E( KAT, (k, rA, B, E( KBT, (k, A)) )) A decrypts with KAT and checks rA and B. Holds k for future correspondence with B. 3. A -> B : E( KBT, (k, A)) B decrypts with KBT. 4. B -> A : E(k, rB) A decrypts with k. 5. A -> B : E(k, rB – 1) B checks rB-1.

55 Attack Scenario 1 1. A -> T : A, B, rA 2. T -> C (A) : E( KAT, (k, rA, B, E( KBT, (k, A)) )) C is unable to decrypt the message to A; passing it along unchanged does no harm. Any change will be detected by A.

56 Attack Scenario 2 1. A -> C (T) : A, B, rA 2. C (A) -> T : A, C, rA 3. T -> A : E( KAT, (k, rA, C, E( KCT, (k, A)) )) Rejected by A because C rather than B.

57 Attack Scenario 3 1. A -> C (T) : A, B, rA 2. C -> T : C, B, rA 3. T -> C : E( KCT, (k, rA, B, E( KBT, (k, C)) )) 4. C (T) -> A : E( KCT, (k, rA, B, E( KBT, (k, C)) )) A is unable to decrypt the message.

58 Attack Scenario 4 1. C -> T : C, B, rA 2. T -> C : E( KCT, (k, rA, B, E( KBT, (k, C)) )) 3. C (A) -> B : E( KBT, (k, C)) B will see that the purported origin (A) does not match the identity indicated by the distribution center.

59 Kerberos Setup l A,T,B, shared keys KAT, KBT as in distribution center. l Nonce rA generated by A. l Trusted synchronous clocks for generating a time t and checking expiration of a lifetime L.

60 Kerberos Messages 1. A -> T : A, B, rA 2. T -> A : E( KBT, (k, A, L)), E( KAT, (k, rA, L, B)) 3. A -> B : E( KBT, (k, A, L)), E( k, (A, t)) 4. B -> A : E(k, t) Ticket Authenticator

61 Kerberos Actions 1. A -> T : A, B, rA 2. T -> A : E( KBT, (k, A, L)), E( KAT, (k, rA, L, B)) Decrypt using KAT, check rA, B, and hold L for future reference. 3. A -> B : E( KBT, (k, A, L)), E( k, (A, t)) Decrypt the ticket using KBT to get the session key and lifetime. Use the session key to decrypt the authenticator. Check A, t, L. 4. B -> A : E(k, t) Check t.

62 Asymmetric Key Exchange l X.509 key establishment. l Impersonation case study. l STS. l Bellovin-Merritt protocol.

63 X.509 Key Establishment Setup l X.509 is part of the X.500 series of ISO/IEC standards. l certA and certB are certificates for the public keys of A and B. l A has encryption function EA and signature function SA. B has signature function SB. l rA and rB are nonces. l LA and LB are lifetimes (validity periods).

64 X.509 Key Est. Messages l Let DA = EB(k), rA, LA, A. l Let DB = rB, LB, rA, A l Two messages: 1.A -> B : certA, DA, SA(DA) Check that the nonce rA has not been seen, and is not expired according to LA. Remember it for its lifetime LA. 2.B -> A : certB, DB, SB(DB) Check the rA and A. Check that rB has not been seen and is not expired according to LB.

65 X.509 Variant l X.509 supports several variants on the previously-described protocol. l Let DA = EB(kA), rA, LA, A. l Let DB = EA(kB), rB, LB, rA, A l Two messages: 1.A -> B : certA, DA, SA(DA) 2.B -> A : certB, DB, SB(DB) Both A and B compute a session key f(kA, kB) as a function of subkeys supplied by A and B.

66 Impersonation Case Study

67 Protocol X 1. A -> T : A, B 2. T -> A : ST(EB, B) 3. A -> B : EB(kA, A) 4. B -> T : B, A 5. T -> B : ST(EA, A) 6. B -> A : EA(kA, kB)  Check kA. Calculate session key as f(kA,kB). 7. A -> B : EB(kB)  Check kB. Calculate session key as f(kA,kB).

68 Interleaving Attack on Protocol X l An interleaving attack on this protocol is possible. l An adversary C convinces:  A that he is talking to C using session key k = f(kA, kB).  B that his is talking to A using session key k. l C has access to the key k and can use it to decrypt the responses that B makes to A.

69 Compromise Scenario l B, C are taxpayers. A is the IRS. l A contacts C, (presumably) authenticates and sets up a session key k. C uses the interleaving attack with B. l B now thinks he is talking to the IRS. l C answers questions directed to him by the IRS. l Meanwhile C, pretending to be IRS, asks B for information about his income for the last 5 years.

70 What Went Wrong? l Entity authentication: determining who you are talking to. l Key establishment: settling on a shared session key. l Protocol X admits an interleaving attack that allows an adversary to exploit entity authentication and then step in to exploit key establishment.

71 Station-To-Station Protocol l Provides key confirmation and mutual authentication without revealing the identities of the participants to other parties. l Based on:  Diffie-Hellman.  Digital signatures using public key pairs.  Symmetric encryption.

72 Station-To-Station Setup l q prime with primitive root  where 1<  < q-1. q and  are agreed upon by A and B. l XA is the private key of A where 1 <= XA < q. The public key of A is YA =  **XA mod q. l XB is the private key of B where 1 <= XB < q. The public key of B is YB =  **XB mod q. l k =  **(XA * XB) is the session key.

73 STS Messages 1. A -> B : YA Calculate k. 2. B –> A : YB, E(k, SB(YB, YA)) Calculate k, use it to decrypt the signature, check the signature using the verification function of B and known values YB, YA. 3. A -> B : E(k, SA(YA, YB)) Decrypt the signature and check it using the verification function of A.

74 Passwords as Keys l Humans are not good at remembering 56 bit keys. l Solution: use passwords as keys. l Setup: P is a password known to both A and B. EA is a public key for A. l Simple protocol:  A -> B : E(P, K)  B -> A : E(K, “Terminal type:”)

75 Simple Protocol Vulnerability l Use a dictionary attack on the password. l This protocol enables an offline attack. l Let P* be a word in a dictionary of likely passwords. l Compute:  D(P*, E(P,K)) = K*  D(K*, E(K, “Terminal type:”)) = S  If S makes sense, then P* = P.

76 Countermeasure l The server supplies the session key, encrypted under the public key of A. l Guessing P only reveals EA(K), which is not useful in attacking the last message. 1. A -> B : E(P, EA) 2. B -> A : E(P, EA(K)) 3. B -> A : E(K, “Terminal type:”)

77 Bellovin-Merritt Protocol l A -> B : A, E(P, EA) l B -> A : E(P, EA(K)) l A -> B : E(K, rA) l B -> A : E(K, (rA, rB)) l A -> B : E(K, rB)

Download ppt "CIS/TCOM 551 Computer and Network Security Slide Set 5 Carl A. Gunter Spring 2004."

Similar presentations

Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
CSE331: Introduction to Networks and Security Lecture 22 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 22 Fall 2002.
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.

1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
1 Distributed Computer Security: Authentication and Key Distribution Vijay Jain CSc 8320, Spring 2007.

1 Distributed Computer Security: Authentication and Key Distribution Vijay Jain CSc 8320, Spring 2007.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Authentication & Kerberos

Authentication & Kerberos
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
1 Chapter 13 – Digital Signatures & Authentication Protocols Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,

1 Chapter 13 – Digital Signatures & Authentication Protocols Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,
Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.

Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.
1 Authentication Applications Digital Signatures Security Concerns X.509 Authentication Service Kerberos Based on slides by Dr. Lawrie Brown of the Australian.

1 Authentication Applications Digital Signatures Security Concerns X.509 Authentication Service Kerberos Based on slides by Dr. Lawrie Brown of the Australian.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
SMUCSE 5349/73491 Authentication Protocols. SMUCSE 5349/73492 The Premise How do we use perfect cryptographic mechanisms (signatures, public-key and symmetric.

SMUCSE 5349/73491 Authentication Protocols. SMUCSE 5349/73492 The Premise How do we use perfect cryptographic mechanisms (signatures, public-key and symmetric.
CSE331: Introduction to Networks and Security Lectures 26 & 27 Fall 2002.

CSE331: Introduction to Networks and Security Lectures 26 & 27 Fall 2002.
Wireless Security In wireless networks. Security and Assurance - Goals Integrity Modified only in acceptable ways Modified only by authorized people Modified.

Wireless Security In wireless networks. Security and Assurance - Goals Integrity Modified only in acceptable ways Modified only by authorized people Modified.
CSE331: Introduction to Networks and Security Lecture 23 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 23 Fall 2002.

Similar presentations

Ads by Google